Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


CBL claims (not backed up by anything)

  • Please log in to reply
8 replies to this topic

#1 barleysinger


  • Members
  • 7 posts
  • Local time:11:17 PM

Posted 22 October 2013 - 02:12 AM

*** BASIC SETUP ****
Satellite internet
TLWRD3600 (tplink) router (mostly using wifi)
We live way out in the country (whic is why we have Satellite internet) so there are no houses close enough to steal our wifi

Most of this time only one desktop PC (old, XP PRO DELL OPTIPLEX). There are also 2 droids, 2 Nintendo DS & one 3DS

*** The problem ***

The CBL site keeps claiming I have problems which *CANNOT* be found by ANY piece of software, even those that they state will find the problem, built just to find that one problem (virus, adware, malware, trojan, bot net, rootkit removers, etc). Even programs recommended in a CBL blacklist check, find nothing.. This is not effecting my ability to use email (for some reason nobody blocks me) but a few web sites that misuse the CBL will not let me get an account or post ... which us how I found out about all of this. I wanted to ask questions on a video site and they would not let me on it.

ONLY one site other than the CBL claims anything about my IP.  It is "l2.apews.org" and it is blocking my entire ISP (since 2010). None of the other spam BLACKLIST sites list my IP address. I tested this on a site that checks 80 databases (http://whatismyipaddress.com/blacklist-check)

The CBL information (what they claim is wrong) keeps being different every few days. Here is a list  (the ones I know about) for the last few weeks:

2013-10-05 01:00 GMT         zeroaccess root kit
2013-10-14 10:06:57            s_smart12
2013-10-20 07:00 GMT        ZeuS trojan, also known as "Zbot" and "WSNPoem".
013-10-21 23:00 GMT          IP Address #.#.#.# is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

I have a lot of good software and none of it has detected any of this. Even the special rootkits do not find the rootkits the CBL says I have. Here is a list of what I have used :

rmzeroaccess.exe  (The zeroaccess rootkit remover from AVG)
SecurityCheck.exe (got it here)
rootkitremover.exe (by McAfee, which as it is a McA'fee' product, it found nothing as always)
AVG free and MALWAREBYTES find nothing
AVIRA free

Yet the CBL claims a virus/trojan or BotNet was found recently (within a few days max) every time that I go there and check my IP and as you can see every few days they change which one they claim I have...yet as I am siposed ot have all this bad traffic coming from my network

* how is it no other good blacklist agrees with the CBL?
* why doesn't my anti-virus scanning find anything?

After running a dozen different well reviewed pieces of FREE antivirus software I have had no detections or removals for any of the things they have claimed I have....and I started runnin ghtme to get rid of ASK toolbar (which i got from CNET.DOWNLOADS.COM when I got an ASPI driver set from APAPTEC). Never use downloads.com for anything. They have now been fully tested, and definitely do install FOISTWARE and MALWARE when a person downloads form them - even if you use a direct link they do it to you.

Eventually I even tried SpyHunter - (now removed - it is close to being a fake registry cleaner/fake antivirus program itself)

THIS one piece of software (SpyHunter with the bad reputation) claims that I have "trojan.generic" which is also very bad, but nothing else finds it (even things recommended for removing it like RKill followed by MALWAREBYTYES) and SpyHunter insists that I pay them to get rid of the thing they say they found..

SpyHunter claimed to find "6 infections" of trojan.generic
SpyHunter also gave NO REAL DETAIL about which file(s) is/are involved or if it is a registry entry only

I wanted to be sure it was gone and SpyHunter won't remove anything unless you pay them (which makes their product "$care ware"  even if the warnings are real).

Then I used these :

* Norton Power Eraser (NPE) : it is recomended for this problem
- -  did not find anything at all
* TDSSKIller (by kaspersky)  : it is recomended for this problem
- -  did not find trojan.generic (read that it was recomnded for the removal of this item)
* Malwarebytes  : it is recomended for this problem
- -  did not find trojan.generic (a tool recomnded online for that trojans removal)
* AVG Antivirus did not find trojan.generic
* mcafee did not find it (but it never seems to find anything)

I ran several rootkit removers as well (which found nothing)

After running all of this, I found only a few pieces of an couple of old toillbars still having around in my system registry (you would think that by now, ASK would be gone considering all I have done to kill it over the years).

 ran every antimalware, antisoyware, antitrojan and antivirus software that I have. Norton Eraser (as usual) popped up a list of items which were fine (all good programs, like PHOTOSHOP, and every single exe in OFFICE ). Eraser complains if your software is not the same revision as your OS.

So I did another search and went to symantec.com & Symantec said to "Run Norton Power Eraser (NPE)" and I did that already.

Is any of this real?
How can I tell?
Wireshark does not seem to find anything either as I have a few  logs from WireShark and none of them have anything questionable (known bad IPs) aside from some annoying "amazonaws.com" traffic (and I have no idea what parts of that are OK and which might be tied to botnets - and Amazon does not seem to care).

--------------- HERE IS THE FILE TO INCLUDE -------------
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 6.0.2900.5512  BrowserJavaVersion: 10.45.2
Run by Katie at 16:34:16 on 2013-10-22
============== Running Processes ================
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\All Users\Application Data\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Burners\CDBurnerXP\NMSAccessU.exe
C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Best Youtube Downloader\Basement\ExtensionUpdaterService.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\BenQ\DC1300\DCMnt1_0\DC1300mi.exe
C:\Program Files\Freecorder\FLVSrvc.exe
C:\Program Files\Process Lasso\processlasso.exe
C:\Program Files\Process Lasso\processgovernor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE
C:\Program Files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Documents and Settings\Katie\Application Data\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ArcSoft\VideoImpression 2\CancelAutoPlay.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\wampserver\bin\apache\apache2.2.6\bin\httpd.exe
C:\Program Files\wampserver\bin\apache\apache2.2.6\bin\httpd.exe
C:\Program Files\Avira\AntiVir Desktop\avscan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\RealNetworks\RealDownloader\recordingmanager.exe
C:\Program Files\Best Youtube Downloader\Basement\BackgroundEngine.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
============== Pseudo HJT Report ===============
uInternet Connection Wizard,ShellNext = hxxp://www.thekidzpage.com/
uURLSearchHooks: {B922D405-6D13-4A2B-AE89-08A030DA4402} - <orphaned>
uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} -
uURLSearchHooks: {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - <orphaned>
uURLSearchHooks: {465fcfbb-47a4-4866-a5d5-d12f9a77da00} - <orphaned>
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre2.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: HistoryTriggerBHO Class: {21A88CB9-84D2-4020-A2D1-B25A21034884} - c:\program files\lg electronics\lg pc suite iv\linkair\LinkAirBrowserHelper.dll
BHO: Skype add-on (mastermind): {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: mixidj Helper Object: {4D6A9BBF-402C-4301-B1EF-28D04F71D761} -
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Best Youtube Downloader: {aba4f4bd-6132-4a75-9c09-49370a0b4f5c} - c:\program files\best youtube downloader\basement\Extension32.dll
BHO: DealPly Shopping: {ae48ed75-5a56-4c5f-bbce-6f1ac3875f66} -
BHO: {B530A9A4-1722-4D16-AAD6-AA85E3AD2ADE} - <orphaned>
BHO: CrowdStar Gamebar: {D4027C7F-154A-4066-A1AD-4243D8127440} -
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Freecorder Toolbar: {1392B8D2-5C05-419F-A8F6-B9F15A596612} - c:\program files\freecorder\prxtbFre2.dll
TB: CrowdStar Gamebar: {D4027C7F-154A-4066-A1AD-4243D8127440} -
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre2.dll
TB: <No Name>:  - LocalServer32 - <no file>
TB: CrowdStar Gamebar: {D4027C7F-154A-4066-A1AD-4243D8127440} -
TB: MixiDJ Toolbar: {CA9B9C89-4662-4ADC-9C23-A452BECD5D19} -
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [Spotify Web Helper] "c:\documents and settings\katie\application data\spotify\data\SpotifyWebHelper.exe"
uRun: [News.net] c:\program files\news.net\breakingnews\DesktopContainer.exe
uRun: [DellSystemDetect] c:\documents and settings\katie\start menu\programs\dell\Dell System Detect.appref-ms
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [LGODDFU] "c:\program files\lg_fwupdate\lgfw.exe" blrun
mRun: [DC1300 Monitor] c:\program files\benq\dc1300\dcmnt1_0\DC1300mi.exe
mRun: [DC1300monitor] c:\program files\dc1300\dcmnt1_0\DC1300mi.exe
mRun: [UserFaultCheck] c:\windows\system32\dumprep 0 -u
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [MacrokeyManager] WTMKM.exe
mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /run
mRun: [ProcessLassoManagementConsole] c:\program files\process lasso\processlasso.exe
mRun: [ProcessGovernor] c:\program files\process lasso\processgovernor.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenuEx] c:\program files\canon\solution menu ex\CNSEMAIN.EXE /logon
mRun: [IJNetworkScannerSelectorEX] c:\program files\canon\ij network scanner selector ex\CNMNSST.exe /FORCE
mRun: [DivXMediaServer] c:\program files\divx\divx media server\DivXMediaServer.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe"  -osboot
mRun: [DiscWizardMonitor.exe] "c:\program files\seagate\discwizard\DiscWizardMonitor.exe"
mRun: [Seagate Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [KernelFaultCheck] c:\windows\system32\dumprep 0 -k
mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
uPolicies-Explorer: NoDriveTypeAutoRun = dword:0
uPolicies-Explorer: NoDriveAutoRun = dword:3
mPolicies-Explorer: NoDriveAutoRun = dword:3
mPolicies-Explorer: NoDriveTypeAutoRun = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: &Leave a note for Been users - c:\program files\best youtube downloader\basement\BackgroundEngine.exe/205
IE: &Remove from Been Clickstream - c:\program files\best youtube downloader\basement\BackgroundEngine.exe/206
IE: &Save as Been Favorite - c:\program files\best youtube downloader\basement\BackgroundEngine.exe/204
IE: &Thumbs Down - c:\program files\best youtube downloader\basement\BackgroundEngine.exe/202
IE: &Thumbs Up - c:\program files\best youtube downloader\basement\BackgroundEngine.exe/201
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: dell.com
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1332262703906
TCP: NameServer =
TCP: Interfaces\{7A59A6DD-44F4-4AC9-B838-BD68B00C5AA4} : DHCPNameServer =
Notify: cryptnet32 - cryptnet32.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs= c:\docume~1\alluse~1\applic~1\wincert\win32c~1.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\30.0.1599.101\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
================= FIREFOX ===================
FF - ProfilePath - c:\documents and settings\katie\application data\mozilla\firefox\profiles\a63jqmtl.default\
FF - prefs.js: browser.search.selectedEngine - DuckDuckGo
FF - prefs.js: browser.startup.homepage - about:home
FF - plugin: c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlhtml5videoshim.dll
FF - plugin: c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlpepperflashvideoshim.dll
FF - plugin: c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\npdlplugin.dll
FF - plugin: c:\documents and settings\katie\application data\mozilla\firefox\profiles\a63jqmtl.default\extensions\activegs@freetoolsassociation.com\plugins\npActiveGS.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1203133.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1204144.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_117.dll
FF - ExtSQL: 2013-08-31 18:13; cachedownload@phigDR.projects; c:\documents and settings\katie\application data\mozilla\firefox\profiles\a63jqmtl.default\extensions\cachedownload@phigDR.projects.xpi
FF - ExtSQL: 2013-09-08 04:52; {DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}; c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\firefox\Ext
FF - ExtSQL: 2013-09-14 16:42; firefox1@myibay.com; c:\documents and settings\katie\application data\mozilla\firefox\profiles\a63jqmtl.default\extensions\firefox1@myibay.com.xpi
FF - ExtSQL: 2013-10-01 01:01; {906000a4-88d9-4d52-b209-7a772970d91f}; c:\documents and settings\katie\application data\mozilla\firefox\profiles\a63jqmtl.default\extensions\{906000a4-88d9-4d52-b209-7a772970d91f}
FF - ExtSQL: 2013-10-01 01:03; ffxtlbr@mixidj.com; c:\documents and settings\katie\application data\mozilla\firefox\profiles\a63jqmtl.default\extensions\ffxtlbr@mixidj.com
FF - ExtSQL: 2013-10-07 06:47; {3444c3c5-6c56-4a16-a453-832b05bf6ea4}; c:\documents and settings\katie\application data\mozilla\firefox\profiles\a63jqmtl.default\extensions\{3444c3c5-6c56-4a16-a453-832b05bf6ea4}
FF - ExtSQL: 2013-10-21 07:15; {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}; c:\documents and settings\katie\application data\mozilla\firefox\profiles\a63jqmtl.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - ExtSQL: 2019-09-25 22:40; {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}; c:\documents and settings\katie\application data\mozilla\firefox\profiles\a63jqmtl.default\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}.xpi
============= SERVICES / DRIVERS ===============
R? aiptektp;Pen Pad
R? Andbus;LGE Android Platform Composite USB Device
R? AndDiag;LGE Android Platform USB Serial Port
R? AndGps;LGE Android Platform USB GPS NMEA Port
R? ANDModem;LGE Android Platform USB Modem
R? anvsnddrv;AnvSoft Virtual Sound Device
R? ca82e1a5;Optimizer Pro Crash Monitor
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? cnnctfy2MP;cnnctfy2MP
R? DC1300;DC 1300 WDM Video Capture
R? MBAMSwissArmy;MBAMSwissArmy
R? Nbdrv;NetBalancer Service
R? Revoflt;Revoflt
R? rm;rm
R? SafetyNutManager;SafetyNut Manager
S? !SASCORE;SAS Core Service
S? AntiVirSchedulerService;Avira Scheduler
S? AntiVirService;Avira Real-Time Protection
S? Avgldx86;AVG AVI Loader Driver
S? Avglogx;AVG Logging Driver
S? Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield
S? avgntflt;avgntflt
S? Avgrkx86;AVG Anti-Rootkit Driver
S? Avgtdix;AVG TDI Driver
S? avgwd;AVG WatchDog
S? avkmgr;avkmgr
S? ElRawDisk;ElRawDisk
S? esgiguard;esgiguard
S? ESProtectionDriver;Malwarebytes Anti-Exploit
S? Freemake Improver;Freemake Improver
S? hugoio;hugoio
S? LgBttPort;LGE Bluetooth TransPort
S? lgbusenum;LG Bluetooth Bus Enumerator
S? LGVMODEM;LGE Virtual Modem
S? MBAMProtector;MBAMProtector
S? MBAMScheduler;MBAMScheduler
S? MBAMService;MBAMService
S? NPF;NetGroup Packet Filter Driver
S? RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service
S? SgtSch2Svc;Seagate Scheduler2 Service
S? StarPortLite;StarPort Storage Controller (Lite)
S? Update Service for Best Youtube Downloader;Update Service for Best Youtube Downloader
S? vididr;Acronis Virtual Disk
S? vidsflt53;Acronis Disk Storage Filter (53)
S? WPFFontCache_v0400;Windows Presentation Foundation Font Cache
S? WTService;WTService
=============== File Associations ===============
FileExt: .reg: Regedit.Document=c:\winnt\Regedit.exe %1
ShellExec: Photoshop.exe: open=c:\program files\adobe\photoshop 7.0\Photoshop.exe
=============== Created Last 30 ================
2013-10-21 17:37:20    --------    d-----w-    c:\windows\system32\PreInstall
2013-10-21 08:15:07    --------    d-----w-    c:\documents and settings\katie\local settings\application data\gtk-2.0
2013-10-21 08:13:50    --------    d-----w-    c:\windows\system32\SoftwareDistribution
2013-10-21 07:44:57    40776    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2013-10-20 20:20:32    1498960    ----a-w-    c:\windows\system32\msvcr100d.dll
2013-10-20 20:20:31    743248    ----a-w-    c:\windows\system32\msvcp100d.dll
2013-10-20 20:20:31    --------    d-----w-    c:\program files\Malwarebytes Anti-Exploit
2013-10-20 18:56:08    --------    d-----w-    c:\documents and settings\all users\application data\Licenses
2013-10-20 18:51:58    --------    d-----w-    c:\documents and settings\katie\application data\Simply Super Software
2013-10-20 18:50:55    77312    ----a-w-    c:\windows\system32\ztvunace26.dll
2013-10-20 18:50:55    77072    ----a-w-    c:\windows\system32\ztvcabinet.dll
2013-10-20 18:50:55    75264    ----a-w-    c:\windows\system32\unacev2.dll
2013-10-20 18:50:55    605968    ----a-w-    c:\windows\system32\ztv7z.dll
2013-10-20 18:50:55    185616    ----a-w-    c:\windows\system32\ztvunrar39.dll
2013-10-20 18:50:55    169744    ----a-w-    c:\windows\system32\ztvunrar36.dll
2013-10-20 18:50:54    153088    ----a-w-    c:\windows\system32\UNRAR3.dll
2013-10-20 18:50:50    --------    d-----w-    c:\program files\Trojan Remover
2013-10-20 18:50:50    --------    d-----w-    c:\documents and settings\all users\application data\Simply Super Software
2013-10-20 14:03:09    --------    d-----w-    c:\program files\Enigma Software Group
2013-10-20 14:00:05    --------    d-----w-    c:\windows\865537E164904193A4B6669C62711852.TMP
2013-10-20 11:00:13    --------    d-----w-    c:\documents and settings\katie\local settings\application data\NPE
2013-10-18 09:05:59    145408    ----a-w-    c:\windows\system32\javacpl.cpl
2013-10-18 09:05:36    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-10-15 06:50:09    --------    d-----w-    c:\documents and settings\katie\application data\AVG2013
2013-10-15 06:47:49    --------    d-----w-    c:\documents and settings\katie\application data\TuneUp Software
2013-10-15 06:45:30    --------    d--h--w-    C:\$AVG
2013-10-15 06:45:30    --------    d-----w-    c:\documents and settings\all users\application data\AVG2013
2013-10-15 06:42:36    --------    d-----w-    c:\program files\AVG
2013-10-15 06:34:14    --------    d--h--w-    c:\documents and settings\all users\application data\Common Files
2013-10-15 06:34:14    --------    d-----w-    c:\documents and settings\katie\local settings\application data\MFAData
2013-10-15 06:34:14    --------    d-----w-    c:\documents and settings\katie\local settings\application data\Avg2013
2013-10-15 06:34:14    --------    d-----w-    c:\documents and settings\all users\application data\MFAData
2013-10-15 05:50:27    --------    d-----w-    c:\documents and settings\katie\local settings\application data\VS Revo Group
2013-10-15 05:50:10    27064    ----a-w-    c:\windows\system32\drivers\revoflt.sys
2013-10-15 05:50:10    --------    d-----w-    c:\documents and settings\all users\application data\VS Revo Group
2013-10-15 05:50:06    --------    d-----w-    c:\program files\VS Revo Group
2013-10-15 05:14:47    --------    d-----w-    C:\UsbFix
2013-10-15 03:13:55    --------    d-----w-    c:\documents and settings\katie\application data\SUPERAntiSpyware.com
2013-10-15 03:08:46    --------    d-----w-    c:\program files\SUPERAntiSpyware
2013-10-15 03:08:46    --------    d-----w-    c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2013-10-15 02:52:56    --------    d-----w-    C:\TDSSKiller_Quarantine
2013-10-14 21:33:26    --------    d-----w-    c:\documents and settings\katie\application data\Malwarebytes
2013-10-14 21:32:01    --------    d-----w-    c:\documents and settings\all users\application data\Malwarebytes
2013-10-14 21:31:59    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-10-14 21:31:59    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-10-13 04:00:51    393728    ----a-w-    c:\program files\windows media player\plugins\wmp_scrobbler.dll
2013-10-13 04:00:46    --------    d-----w-    c:\documents and settings\all users\application data\Last.fm
2013-10-13 03:58:30    --------    d-----w-    c:\program files\Last.fm
2013-10-13 03:58:30    --------    d-----w-    c:\documents and settings\katie\local settings\application data\Last.fm
2013-10-13 00:50:13    --------    d-----w-    c:\documents and settings\katie\application data\DDMSettings
2013-10-11 04:55:45    --------    d-----w-    c:\documents and settings\katie\application data\Wireshark
2013-10-11 04:36:20    --------    d-----w-    c:\program files\Wireshark
2013-10-09 11:59:29    --------    d-s---w-    c:\documents and settings\katie\UserData
2013-10-08 22:18:13    --------    d-----w-    C:\AdwCleaner
2013-10-07 04:50:09    --------    d-----w-    c:\documents and settings\katie\application data\AVS4YOU
2013-10-06 21:20:14    --------    d-----w-    c:\program files\DVD Shrink
2013-10-06 21:18:29    --------    d-----w-    c:\documents and settings\all users\application data\Wincert
2013-10-06 21:18:02    --------    d-----w-    c:\documents and settings\katie\application data\somotomoviestoolbar1
2013-10-06 21:15:52    --------    d-----w-    c:\documents and settings\all users\application data\SafetyNut
2013-10-06 20:21:32    --------    d-----w-    c:\program files\TCPView
2013-10-06 17:38:22    --------    d-----w-    c:\windows\system32\drivers\nss\0203000.02C
2013-10-06 17:38:22    --------    d-----w-    c:\windows\system32\drivers\NSS
2013-10-06 17:38:22    --------    d-----w-    c:\documents and settings\all users\application data\Norton
2013-10-06 17:37:18    --------    d-----w-    c:\documents and settings\all users\application data\Symantec
2013-10-06 17:37:13    --------    d-----w-    c:\program files\NortonInstaller
2013-10-06 17:37:13    --------    d-----w-    c:\documents and settings\all users\application data\NortonInstaller
2013-10-05 18:52:46    --------    d-----w-    c:\windows\Performance
2013-10-05 18:51:57    --------    d-----w-    c:\documents and settings\katie\local settings\application data\Microsoft Corporation
2013-10-05 17:37:27    --------    d-----w-    c:\program files\Microsoft Windows 7 Upgrade Advisor
2013-10-04 00:32:01    --------    d-----w-    c:\program files\Mp3 Volumer
2013-10-01 16:10:46    --------    d-----w-    c:\program files\SimpleOCR
2013-09-30 15:41:29    --------    d-----w-    C:\adaptec
2013-09-27 02:18:19    --------    d-----w-    c:\documents and settings\katie\application data\Seagate
2013-09-27 02:18:16    --------    d-----w-    c:\documents and settings\all users\application data\Seagate
2013-09-27 02:10:59    601408    ----a-w-    c:\windows\system32\drivers\timntr.sys
2013-09-27 02:10:54    125472    ----a-w-    c:\windows\system32\drivers\vididr.sys
2013-09-27 02:10:51    83392    ----a-w-    c:\windows\system32\drivers\vsflt53.sys
2013-09-27 02:10:11    169088    ----a-w-    c:\windows\system32\drivers\snapman.sys
2013-09-27 02:09:55    --------    d-----w-    c:\program files\common files\Wise Installation Wizard
2013-09-27 02:09:43    --------    d-----w-    c:\program files\Seagate
2013-09-27 02:09:41    --------    d-----w-    c:\program files\common files\Seagate
2013-09-27 01:37:11    --------    d-----w-    C:\Log
2013-09-27 01:35:31    791680    ----a-w-    c:\windows\system32\StellarProfile.dll
2013-09-27 01:35:31    6131200    ----a-w-    c:\windows\system32\PhoenixDll.dll
2013-09-27 01:35:28    --------    d-----w-    c:\program files\Stellar Phoenix Windows Data Recovery
2013-09-26 18:24:36    --------    d-----w-    c:\documents and settings\katie\application data\Dell
2013-09-26 18:24:03    --------    d-----w-    c:\documents and settings\all users\application data\PCDr
2013-09-26 18:24:02    --------    d-----w-    c:\program files\Dell Support Center
2013-09-26 18:23:02    --------    d-----w-    c:\program files\My Dell
2013-09-26 18:19:02    --------    d-----w-    c:\documents and settings\katie\application data\PCDr
2013-09-26 17:39:56    --------    d-----w-    c:\documents and settings\katie\local settings\application data\Deployment
2013-09-26 16:46:07    --------    d-----w-    c:\program files\CPUID
==================== Find3M  ====================
2013-10-09 11:22:40    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-09 11:22:40    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-09-26 15:26:44    323584    ----a-w-    c:\windows\system32\AUDIOGENIE2.DLL
2013-09-09 16:04:48    22328    ----a-w-    c:\windows\system32\drivers\avgidsshimx.sys
2013-09-07 19:18:56    499712    ----a-w-    c:\windows\system32\msvcp71.dll
2013-09-04 16:13:42    39224    ----a-w-    c:\windows\system32\drivers\avgrkx86.sys
2013-09-02 13:05:25    88840    ----a-w-    c:\windows\system32\drivers\avgntflt.sys
2013-08-08 06:43:55    3072    ----a-w-    c:\windows\system32\drivers\hugoio.sys
2009-03-27 00:23:32    2931168    -c--a-w-    c:\program files\FLV PlayerFCSetup.exe
2009-03-27 00:22:15    9810664    -c--a-w-    c:\program files\FLV PlayerRCATSetup.exe
2009-03-27 00:17:45    21126776    -c--a-w-    c:\program files\FLV PlayerRCSetup.exe
============= FINISH: 16:38:55.10 ===============

Attached Files

BC AdBot (Login to Remove)


#2 barleysinger

  • Topic Starter

  • Members
  • 7 posts
  • Local time:11:17 PM

Posted 22 October 2013 - 05:58 AM

And I just got *another* claim by the CBL that I am infected.

---------- CBL quote ----------------------------
IP Address [My IP ADDRESS] like I'm really going to tell the entire world) is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

It was last detected at 2013-10-22 06:00 GMT (+/- 30 minutes), approximately 4 hours, 30 minutes ago.

It has been resisted following a previous removal at 2013-10-18 01:18 GMT (4 days, 9 hours, 23 minutes ago)

This IP is infected with, or is NATting for a machine infected with s_smart12

Note: If you wish to look up this bot name via the web, remove the "s_" before you do your search.

This was detected by observing this IP attempting to make contact to a s_smart12 Command and Control server, with contents unique to s_smart12 C&C command protocols.

This was detected by a TCP/IP connection from [My IP ADDRESS] on port 60320 going to IP address (the sinkhole) on port 80.

The botnet command and control domain for this connection was "tsvswququsamqaqq.net".

Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address or host name tsvswququsamqaqq.net on any port with a network sniffer such as wireshark. Equivalently, you can examine your DNS server or proxy server logs to references to or tsvswququsamqaqq.net. See Advanced Techniques for more detail on how to use wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.


This detection corresponds to a connection at 2013-10-22 06:09:53 (GMT - this timestamp is believed accurate to within one second).


The PC in question was running several anti-virus/malware programs when they claim this occurred. The only other computers ion the house were (androids not online and 2 Nintendo DS and one 3DS (all turned off).
something real is probably happening, but how the CBL scripts manage to keep changing theri minds is beyond me (with no software able to detect anything and no other spam/botnet BLACK LISTS noticing me) is beyond me.

I might just need to use ComboFix (but with guidance as I don't want to nuke this machine's ability to run (I need it running) and it only has an external USB DVD COmbo drive (the internal one is dead & I have not put my external into it yet) and also a 3 1/2 floppy. I do not want this to be bricked in the process of fixing it, and I would hate to lose all of my OEM software by reformatting (probably low level)  and starting over with a blank 80GB drive.

I wish I could afford a better machine (disability issues) and toss this one aside for now. In a former life I was a very well paid IT person.


Edited by barleysinger, 22 October 2013 - 06:13 AM.

#3 barleysinger

  • Topic Starter

  • Members
  • 7 posts
  • Local time:11:17 PM

Posted 22 October 2013 - 08:46 AM

this is the first time I have had continuous hits over time, and had them be for  a BOTNET with the same name

---------- another new hit on the CBL --------------------------------

IP Address [my ip address] is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.


It was last detected at 2013-10-22 10:00 GMT (+/- 30 minutes), approximately 3 hours, 30 minutes ago.

It has been relisted following a previous removal at 2013-10-18 01:18 GMT (4 days, 12 hours, 25 minutes ago)

This IP is infected with, or is NATting for a machine infected with s_smart12

Note: If you wish to look up this bot name via the web, remove the "s_" before you do your search.

This was detected by observing this IP attempting to make contact to a s_smart12 Command and Control server, with contents unique to s_smart12 C&C command protocols.

This was detected by a TCP/IP connection from [my ip address] on port 49088 going to IP address (the sinkhole) on port 80.

The botnet command and control domain for this connection was "tsvswququsamqaqq.net".

Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address or host name tsvswququsamqaqq.net on any port with a network sniffer such as wireshark. Equivalently, you can examine your DNS server or proxy server logs to references to or tsvswququsamqaqq.net. See Advanced Techniques for more detail on how to use wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.


This detection corresponds to a connection at 2013-10-22 10:27:43 (GMT - this timestamp is believed accurate to within one second).

#4 nasdaq


  • Malware Response Team
  • 38,971 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:47 AM

Posted 25 October 2013 - 10:10 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).

thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.

Please download ComboFix from one of these locations:
Link 1
Link 2
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.

Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#5 nasdaq


  • Malware Response Team
  • 38,971 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:47 AM

Posted 31 October 2013 - 09:58 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

#6 nasdaq


  • Malware Response Team
  • 38,971 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:47 AM

Posted 11 January 2014 - 01:59 PM

This topic has been re-opened at the request of the person who originally posted.

#7 barleysinger

  • Topic Starter

  • Members
  • 7 posts
  • Local time:11:17 PM

Posted 11 January 2014 - 03:02 PM

As requested, the first report. It will take a whole before I do the next one as I need sleep badly (health issues again, sorry about that and thanks for your patience).

OK so I ran RogueKiller (grabbed the latest version) and *BEFORE* I kill anything in the registry that I can't get back, and might screw thigns up, I am sending you my report in the text of this post

It *DID* pick up 4 registry entries, and listed all of my browser addons. Nothing else.

I find it odd that the contents of the tabs don't list in the report (registry entries and browser addons).

I have noticed that a lot of useful information appears not to be in the report (odd). It does not list my browser addons, or my

registry entries in the report.

As I don't feel like trashing my system registry by accident, by killing keys or values that I do not understand (easy to do) so

before I tell it to delete anything, here is the report (and the registry entries which I have listed manually).

-------------- here are the registry entries -------------------
Status : FOUND
Key : Software\Microsoft\Windows\CurrentVersion\Run
Value : AVG-Secure-Search-Update_1213v
Data : C:\Documents and Settings\Katie\Application Data\AVG 1213b Campaign\AVG-Secure-Search-Update-1213b.exe

/PROMPT /mid=050f05fe6b7e47d3a1c6d15a346c5009-95d874cc7c64e164b40cdaa8a7a4e77155683963


Status : FOUND
Type : PUM
Key : Software\Microsoft\Windows\CurrentVersion\Policies\System
Value : DisableTaskMgr
Data : 0

Status : FOUND
Type : PUM
Key : Software\Microsoft\Windows\CurrentVersion\Policies\System
Value : DisableRegistryTools
Data : 0

Status : FOUND
Type : PUM
Key : HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
Value : {20D04FE0-3AEA-1069-A2D8-08002B30309D}
Data : 1

================HERE IS THE REPORT ==============================
RogueKiller V8.8.0 [Dec 27 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Katie [Admin rights]
Mode : Scan -- Date : 01/12/2014 06:02:09
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : AVG-Secure-Search-Update_1213b (C:\Documents and Settings\Katie\Application

Data\AVG 1213b Campaign\AVG-Secure-Search-Update-1213b.exe /PROMPT

/mid=050f05fe6b7e47d3a1c6d15a346c5009-95d874cc7c64e164b40cdaa8a7a4e77155683963 /CMPID=1213b [x][x]) ->

[HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0xc0000033] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Maxtor 6L080M0 +++++
--- User ---
[MBR] 3128c1c6687f57a6dc73b432bd371dff
[BSP] 1db103e28eaeaeee57c60c3810083fd0 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76285 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_01122014_060209.txt >>


#8 barleysinger

  • Topic Starter

  • Members
  • 7 posts
  • Local time:11:17 PM

Posted 11 January 2014 - 04:11 PM

And here is the next report from AwdCleaner. I have not yet removed anything as I am uncertain which things I really *OUGHT* to remove, and these programs are not very discriminating at times.

I did notice several strange things it found :

"C:\END" which is currently an empty file (and I have idea what it is a part of, or saw, last run at

"C:\Program Files\NCH Software" (and references to NHC software all over the place, which I think is stuff from the  CONDUIT toolbar

Freecorder (which I do not recall EVER installing and I opt out of everything I can
speedbit.xml (buried in firefox in the profiles)

However the ADwCleaner program also detects items which are not necessarily problems (most detection programs do ) and i would prefer not to cripple my machine (or any of it's GOOD software) unnecessarily. Hence my desire for guidance.

I know it detected PFDFORGE as an issue and it isn't one (it is just a printer driver for printing files to pdf)
It also wants to get rid of many extension folders in FIREFOX.

===== this is the log. Guidance appreciated ===================


# AdwCleaner v3.016 - Report created 12/01/2014 at 06:54:53
# Updated 23/12/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Katie - MERCURY
# Running from : C:\Documents and Settings\Katie\Desktop\adwcleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

File Found : C:\Documents and Settings\Katie\Application Data\Mozilla\Firefox\Profiles\a63jqmtl.default\searchplugins\speedbit.xml
File Found : C:\Documents and Settings\Katie\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_app.mam.conduit.com_0.localstorage
File Found : C:\Documents and Settings\Katie\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_fastcontent.conduit.com_0.localstorage
File Found : C:\END
File Found : C:\Program Files\Mozilla Firefox\browser\searchplugins\Ask.xml
Folder Found : C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\k9c7dc6v.default\Extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}
Folder Found : C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\k9c7dc6v.default\Extensions\{3444c3c5-6c56-4a16-a453-832b05bf6ea4}
Folder Found : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\edx951o7.default\Extensions\{3444c3c5-6c56-4a16-a453-832b05bf6ea4}
Folder Found : C:\Documents and Settings\Katie\Application Data\Mozilla\Firefox\Profiles\a63jqmtl.default\Extensions\{3444c3c5-6c56-4a16-a453-832b05bf6ea4}
Folder Found : C:\Documents and Settings\Katie\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\kpepfkjapeclaafmhoelccknpfedainn
Folder Found : C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\2ldyclno.default\Extensions\{3444c3c5-6c56-4a16-a453-832b05bf6ea4}
Folder Found : C:\Documents and Settings\Rondel\Application Data\Mozilla\Firefox\Profiles\edx951o7.default\Extensions\{3444c3c5-6c56-4a16-a453-832b05bf6ea4}
Folder Found : C:\Documents and Settings\Web Access\Application Data\Mozilla\Firefox\Profiles\bh8pjn5h.default\Extensions\{3444c3c5-6c56-4a16-a453-832b05bf6ea4}
Folder Found C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\k9c7dc6v.default\CT1060933
Folder Found C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\k9c7dc6v.default\somotomoviestoolbar1
Folder Found C:\Documents and Settings\Admin\Application Data\pdfforge
Folder Found C:\Documents and Settings\Admin\Local Settings\Application Data\Freecorder
Folder Found C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\edx951o7.default\somotomoviestoolbar1
Folder Found C:\Documents and Settings\Administrator\Application Data\pdfforge
Folder Found C:\Documents and Settings\Administrator\Application Data\Search Settings
Folder Found C:\Documents and Settings\All Users\Application Data\Ask
Folder Found C:\Documents and Settings\All Users\Application Data\NCH Software
Folder Found C:\Documents and Settings\Katie\Application Data\Mozilla\Firefox\Profiles\a63jqmtl.default\CT1060933
Folder Found C:\Documents and Settings\Katie\Application Data\Mozilla\Firefox\Profiles\a63jqmtl.default\Smartbar
Folder Found C:\Documents and Settings\Katie\Application Data\Mozilla\Firefox\Profiles\a63jqmtl.default\somotomoviestoolbar1
Folder Found C:\Documents and Settings\Katie\Application Data\NCH Software
Folder Found C:\Documents and Settings\Katie\Local Settings\Application Data\Freecorder
Folder Found C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\2ldyclno.default\somotomoviestoolbar1
Folder Found C:\Documents and Settings\NetworkService\Local Settings\Application Data\Freecorder
Folder Found C:\Documents and Settings\Parents\Application Data\Search Settings
Folder Found C:\Documents and Settings\Rondel\Application Data\Mozilla\Firefox\Profiles\edx951o7.default\somotomoviestoolbar1
Folder Found C:\Documents and Settings\Rondel\Application Data\pdfforge
Folder Found C:\Documents and Settings\Rondel\Local Settings\Application Data\Freecorder
Folder Found C:\Documents and Settings\SysDeity\Application Data\Mozilla\Firefox\Profiles\yp7vkyu5.default\somotomoviestoolbar1
Folder Found C:\Documents and Settings\SysDeity\Application Data\pdfforge
Folder Found C:\Documents and Settings\Web Access\Application Data\Mozilla\Firefox\Profiles\bh8pjn5h.default\somotomoviestoolbar1
Folder Found C:\Documents and Settings\Web Access\Application Data\pdfforge
Folder Found C:\Program Files\Freecorder
Folder Found C:\Program Files\NCH Software

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Found : HKCU\Software\AVG Secure Search
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Freecorder
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{0329E7D6-6F54-462D-93F6-F5C3118BADF2}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{1392B8D2-5C05-419F-A8F6-B9F15A596612}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{389943B0-C3A2-4E69-82CB-8596A84CB3DC}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{92A9ACF4-9333-43AE-9698-DB283326F87F}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE48ED75-5A56-4C5F-BBCE-6F1AC3875F66}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{CA9B9C89-4662-4ADC-9C23-A452BECD5D19}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FF7C3CF0-4B15-11D1-ABED-709549C10000}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0329E7D6-6F54-462D-93F6-F5C3118BADF2}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1392B8D2-5C05-419F-A8F6-B9F15A596612}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{389943B0-C3A2-4E69-82CB-8596A84CB3DC}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{92A9ACF4-9333-43AE-9698-DB283326F87F}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE48ED75-5A56-4C5F-BBCE-6F1AC3875F66}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B922D405-6D13-4A2B-AE89-08A030DA4402}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CA9B9C89-4662-4ADC-9C23-A452BECD5D19}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FF7C3CF0-4B15-11D1-ABED-709549C10000}
Key Found : HKCU\Software\NCH Software
Key Found : HKCU\Software\pdfforge
Key Found : HKCU\Software\SBConvert
Key Found : HKCU\Software\SmartBar
Key Found : HKLM\Software\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Found : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Found : HKLM\SOFTWARE\Classes\AppID\{4CE516A7-F7AC-4628-B411-8F886DC5733E}
Key Found : HKLM\SOFTWARE\Classes\AppID\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Found : HKLM\SOFTWARE\Classes\AppID\{A2773ED4-83BD-488A-A186-73590706C916}
Key Found : HKLM\SOFTWARE\Classes\AppID\TbCommonUtils.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\TbHelper.EXE
Key Found : HKLM\SOFTWARE\Classes\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{0329E7D6-6F54-462D-93F6-F5C3118BADF2}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1C950DE5-D31E-42FB-AFB9-91B0161633D8}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1E34137A-DCA2-487F-98BD-E6DE882564C3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3BDF4CE9-E81D-432B-A55E-9F0570CE811F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{4C836512-BB70-11D2-A5A7-00105A9C91C6}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{57CADC46-58FF-4105-B733-5A9F3FC9783C}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{64697678-0000-0010-8000-00AA00389B71}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{92A9ACF4-9333-43AE-9698-DB283326F87F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{9F34B17E-FF0D-4FAB-97C4-9713FEE79052}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{A600DA2F-5520-498A-8586-8CD1F2782A8A}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{A9A56B8E-2DEB-4ED3-BC92-1FA450BCE1A5}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE338F6D-5A7C-4D1D-86E3-C618532079B5}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{C339D489-FABC-41DD-B39D-276101667C70}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CA9B9C89-4662-4ADC-9C23-A452BECD5D19}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D433A9D0-8267-40CB-8AD5-24F22FA5373F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D565B35E-B787-40FA-95E3-E3562F8FC1A0}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D89031C2-10DA-4C90-9A62-FCED012BC46B}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{DB797690-40E0-11D2-9BD5-0060082AE372}
Key Found : HKLM\SOFTWARE\Classes\ComObject.DeskbarEnabler
Key Found : HKLM\SOFTWARE\Classes\ComObject.DeskbarEnabler.1
Key Found : HKLM\SOFTWARE\Classes\Directory\shell\SPEEDbitVideoConverter
Key Found : HKLM\SOFTWARE\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}
Key Found : HKLM\SOFTWARE\Classes\Interface\{0FA32667-9A8A-4E9C-902F-CA3323180003}
Key Found : HKLM\SOFTWARE\Classes\Interface\{2A42D13C-D427-4787-821B-CF6973855778}
Key Found : HKLM\SOFTWARE\Classes\Interface\{3D8478AA-7B88-48A9-8BCB-B85D594411EC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{452AE416-9A97-44CA-93DA-D0F15C36254F}
Key Found : HKLM\SOFTWARE\Classes\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}
Key Found : HKLM\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
Key Found : HKLM\SOFTWARE\Classes\Interface\{4D8ED2B3-DC62-43EC-ABA3-5B74F046B1BE}
Key Found : HKLM\SOFTWARE\Classes\Interface\{6B458F62-592F-4B25-8967-E6A350A59328}
Key Found : HKLM\SOFTWARE\Classes\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29}
Key Found : HKLM\SOFTWARE\Classes\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}
Key Found : HKLM\SOFTWARE\Classes\Interface\{B9F43021-60D4-42A6-A065-9BA37F38AC47}
Key Found : HKLM\SOFTWARE\Classes\Interface\{BF921DD3-732A-4A11-933B-A5EA49F2FD2C}
Key Found : HKLM\SOFTWARE\Classes\Interface\{D83B296A-2FA6-425B-8AE8-A1F33D99FBD6}
Key Found : HKLM\SOFTWARE\Classes\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}
Key Found : HKLM\SOFTWARE\Classes\Interface\{FCC9CDD3-EFFF-11D1-A9F0-00A0244AC403}
Key Found : HKLM\SOFTWARE\Classes\SBConvert.SBConvert
Key Found : HKLM\SOFTWARE\Classes\SBConvert.SBConvert.3
Key Found : HKLM\SOFTWARE\Classes\TbCommonUtils.CommonUtils
Key Found : HKLM\SOFTWARE\Classes\TbCommonUtils.CommonUtils.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbDownloadManager
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbDownloadManager.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbRequest
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbRequest.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbTask
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbTask.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.ToolbarHelper
Key Found : HKLM\SOFTWARE\Classes\TbHelper.ToolbarHelper.1
Key Found : HKLM\SOFTWARE\Classes\ToolBand.Localizer
Key Found : HKLM\SOFTWARE\Classes\ToolBand.Localizer.1
Key Found : HKLM\SOFTWARE\Classes\ToolBand.NameHighlighter
Key Found : HKLM\SOFTWARE\Classes\ToolBand.NameHighlighter.1
Key Found : HKLM\SOFTWARE\Classes\ToolBand.NameHighlighterStatistics
Key Found : HKLM\SOFTWARE\Classes\ToolBand.NameHighlighterStatistics.1
Key Found : HKLM\SOFTWARE\Classes\ToolBand.SNameProxy
Key Found : HKLM\SOFTWARE\Classes\ToolBand.SNameProxy.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.ContextMenuNotifier
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.ContextMenuNotifier.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.SearchProviderManager
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.SearchProviderManager.1
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{090ACFA1-1580-11D1-8AC0-00C0F00910F9}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{3BCF582D-CA87-4C6F-AF3D-B3548A976AB3}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{937936AF-28CA-4973-B8AE-F250406149A2}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{B4E90801-B83C-11D0-8B40-00C0F00AE35A}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{B87F8B63-7274-43FD-87FA-09D3B7496148}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{C4BAE205-5E02-4E32-876E-F34B4E2D000C}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{DB797681-40E0-11D2-9BD5-0060082AE372}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{EC4085F2-8DB3-45A6-AD0B-CA289F3C5D7E}
Key Found : HKLM\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook
Key Found : HKLM\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1
Key Found : HKLM\Software\DivX\Install\Setup\WizardLayout\ConduitToolbar
Key Found : HKLM\Software\Freecorder
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3444C3C5-6C56-4A16-A453-832B05BF6EA4}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{43D86190-6343-4D4F-A269-8F2CC28B829A}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{488593B3-4887-4DB9-B8FC-FC364C995C31}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{603C4CC9-5DC6-4C44-873F-8281509DF953}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitguard.exe
Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\delta2.exe
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Freecorder Toolbar
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\somotomoviestoolbar1FF
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7F1796B2-BEC6-427B-B734-F9C75ED94A80}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8C338DDB-19FC-4C1F-B74D-6931EE55F7A1}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A600DA2F-5520-498A-8586-8CD1F2782A8A}
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\00E944CB89111313EAF35A0553F547F9
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\53F55AF3F4049ED3FA6EA6F88E414E24
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\68E4BF4B11615E03C97732FD581AB607
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8CE3DDAB2D152683FBCEB4866BCD2B0F
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AF6CE16AFEA5C9A39B766468A8B35C21
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FB1E44269B58F433A8C8E671E37CFDCF
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Freecorder Toolbar
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\somotomoviestoolbar1FF
Key Found : HKLM\Software\NCH Software
Key Found : HKLM\Software\Uniblue
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{0329E7D6-6F54-462D-93F6-F5C3118BADF2}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{1392B8D2-5C05-419F-A8F6-B9F15A596612}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{1392B8D2-5C05-419F-A8F6-B9F15A596612}]
Value Found : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [{0329E7D6-6F54-462D-93F6-F5C3118BADF2}]
Value Found : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [searchpredict@speedbit.com]

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls [Tabs] - hxxp://go.speedbit.com/tab/?s=DCDaya1

-\\ Mozilla Firefox v26.0 (en-US)

[ File : C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\z3x4icuo.default\prefs.js ]

[ File : C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\k9c7dc6v.default\prefs.js ]

[ File : C:\Documents and Settings\Katie\Application Data\Mozilla\Firefox\Profiles\a63jqmtl.default\prefs.js ]

Line Found : user_pref("CT3282495.1000082.isPlayDisplay", "true");
Line Found : user_pref("CT3282495.1000082.state", "{\"state\":\"stopped\",\"text\":\"Virgin Ra...\",\"description\":\"Virgin Radio Classic Rock\",\"url\":\"hxxp://www.smgradio.com/core/audio/wmp/live.asx?service=v[...]
Line Found : user_pref("CT3282495.1000234.TWC_TMP_city", "MELBOURNE");
Line Found : user_pref("CT3282495.1000234.TWC_TMP_country", "AU");
Line Found : user_pref("CT3282495.1000234.TWC_country", "AUSTRALIA");
Line Found : user_pref("CT3282495.1000234.TWC_locId", "CAXX2646");
Line Found : user_pref("CT3282495.1000234.TWC_location", "Australian, BC, Canada");
Line Found : user_pref("CT3282495.1000234.TWC_region", "OT");
Line Found : user_pref("CT3282495.1000234.TWC_temp_dis", "c");
Line Found : user_pref("CT3282495.1000234.TWC_wind_dis", "kmh");
Line Found : user_pref("CT3282495.ENABALE_HISTORY", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Found : user_pref("CT3282495.ENABLE_RETURN_WEB_SEARCH_ON_THE_PAGE", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Found : user_pref("CT3282495.FirstTime", "true");
Line Found : user_pref("CT3282495.FirstTimeFF3", "true");
Line Found : user_pref("CT3282495.UserID", "UN19190354948709200");
Line Found : user_pref("CT3282495.addressBarTakeOverEnabledInHidden", "true");
Line Found : user_pref("CT3282495.countryCode", "AU");
Line Found : user_pref("CT3282495.defaultSearch", "false");
Line Found : user_pref("CT3282495.enableAlerts", "true");
Line Found : user_pref("CT3282495.enableSearchFromAddressBar", "true");
Line Found : user_pref("CT3282495.firstTimeDialogOpened", "true");
Line Found : user_pref("CT3282495.fixPageNotFoundError", "true");
Line Found : user_pref("CT3282495.fixPageNotFoundErrorByUser", "true");
Line Found : user_pref("CT3282495.fixPageNotFoundErrorInHidden", "true");
Line Found : user_pref("CT3282495.fullUserID", "UN19190354948709200.IN.20131105143500");
Line Found : user_pref("CT3282495.homepageuserchanged", true);
Line Found : user_pref("CT3282495.installId", "conduitinstaller.exe");
Line Found : user_pref("CT3282495.installType", "conduitnsisintegration");
Line Found : user_pref("CT3282495.isCheckedStartAsHidden", true);
Line Found : user_pref("CT3282495.isEnableAllDialogs", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Found : user_pref("CT3282495.isFirstTimeToolbarLoading", "false");
Line Found : user_pref("CT3282495.isToolbarShrinked", "{\"dataType\":\"string\",\"data\":\"false\"}");
Line Found : user_pref("CT3282495.lastNewTabSettings", "{\"isEnabled\":false,\"newTabUrl\":\"hxxp://search.conduit.com/?ctid=CT3282495&octid=CT3282495&SearchSource=15&CUI=UN19190354948709200&SSPV=&Lay=1&UM=2\"}");
Line Found : user_pref("CT3282495.lastVersion", "");
Line Found : user_pref("CT3282495.navigationAliasesJson", "{\"EB_SEARCH_TERM\":\"\",\"EB_MAIN_FRAME_URL\":\"hxxp%3A%2F%2Fgreatis.com%2Funhackme%2Fdownload.htm\",\"EB_MAIN_FRAME_TITLE\":\"UnHackMe%20-%20Download\",[...]
Line Found : user_pref("CT3282495.openThankYouPage", "false");
Line Found : user_pref("CT3282495.openUninstallPage", "true");
Line Found : user_pref("CT3282495.revertSettingsEnabled", "true");
Line Found : user_pref("CT3282495.search.searchAppId", "130038710980568143");
Line Found : user_pref("CT3282495.search.searchCount", "0");
Line Found : user_pref("CT3282495.searchInNewTabEnabledByUser", "false");
Line Found : user_pref("CT3282495.searchInNewTabEnabledInHidden", "true");
Line Found : user_pref("CT3282495.searchSuggestEnabledByUser", "true");
Line Found : user_pref("CT3282495.searchUserMode", "2");
Line Found : user_pref("CT3282495.selectToSearchBoxEnabled", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Found : user_pref("CT3282495.serviceLayer_service_login_isFirstLoginInvoked", "{\"dataType\":\"boolean\",\"data\":\"true\"}");
Line Found : user_pref("CT3282495.serviceLayer_service_login_loginCount", "{\"dataType\":\"number\",\"data\":\"4\"}");
Line Found : user_pref("CT3282495.serviceLayer_service_toolbarGrouping_activeCTID", "{\"dataType\":\"string\",\"data\":\"CT3282495\"}");
Line Found : user_pref("CT3282495.serviceLayer_service_toolbarGrouping_activeDownloadUrl", "{\"dataType\":\"string\",\"data\":\"hxxp://NCHENToolbar.OurToolbar.com//xpi\"}");
Line Found : user_pref("CT3282495.serviceLayer_service_toolbarGrouping_activeToolbarName", "{\"dataType\":\"string\",\"data\":\"NCH EN \"}");
Line Found : user_pref("CT3282495.serviceLayer_service_toolbarGrouping_invoked", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Found : user_pref("CT3282495.serviceLayer_service_usage_toolbarUsageCount", "{\"dataType\":\"number\",\"data\":\"2\"}");
Line Found : user_pref("CT3282495.serviceLayer_services_Configuration_lastUpdate", "1387611777181");
Line Found : user_pref("CT3282495.serviceLayer_services_appTrackingFirstTime_lastUpdate", "1386805332664");
Line Found : user_pref("CT3282495.serviceLayer_services_appsMetadata_lastUpdate", "1386805332630");
Line Found : user_pref("CT3282495.serviceLayer_services_gottenAppsContextMenu_lastUpdate", "1386805332900");
Line Found : user_pref("CT3282495.serviceLayer_services_login_10.21.1.7_lastUpdate", "1387634269012");
Line Found : user_pref("CT3282495.serviceLayer_services_otherAppsContextMenu_lastUpdate", "1386805333055");
Line Found : user_pref("CT3282495.serviceLayer_services_searchAPI_lastUpdate", "1387611775977");
Line Found : user_pref("CT3282495.serviceLayer_services_serviceMap_lastUpdate", "1387611774540");
Line Found : user_pref("CT3282495.serviceLayer_services_setupAPI_lastUpdate", "1386805339157");
Line Found : user_pref("CT3282495.serviceLayer_services_toolbarContextMenu_lastUpdate", "1386805332690");
Line Found : user_pref("CT3282495.serviceLayer_services_toolbarSettings_lastUpdate", "1387641475931");
Line Found : user_pref("CT3282495.serviceLayer_services_translation_lastUpdate", "1387611772851");
Line Found : user_pref("CT3282495.settingsINI", true);
Line Found : user_pref("CT3282495.shouldFirstTimeDialog", "false");
Line Found : user_pref("CT3282495.showToolbarPermission", "false");
Line Found : user_pref("CT3282495.smartbar.CTID", "CT3282495");
Line Found : user_pref("CT3282495.smartbar.Uninstall", "0");
Line Found : user_pref("CT3282495.smartbar.toolbarName", "NCH EN ");
Line Found : user_pref("CT3282495.startPage", "false");
Line Found : user_pref("CT3282495.toolbarBornServerTime", "11-12-2013");
Line Found : user_pref("CT3282495.toolbarCurrentServerTime", "21-12-2013");
Line Found : user_pref("CT3282495.toolbarInstallDate", "12-12-2013 09:11:42");
Line Found : user_pref("CT3282495.toolbarLoginClientTime", "Thu Dec 12 2013 09:11:41 GMT+0930");
Line Found : user_pref("CT3282495_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\":1387645342601,\"isWithState\":\"\",\"timeFromStart\":0,\"timeFromPrev\":0}]");
Line Found : user_pref("browser.search.defaulturl", "hxxp://go.speedbit.com/search.aspx?s=DCDaya1&q=");
Line Found : user_pref("browser.search.order.1", "Speedbit Search");
Line Found : user_pref("browser.startup.homepage_override_url", "hxxp://go.speedbit.com/?s=DCDaya1");
Line Found : user_pref("extensions.daplinkchecker@speedbit.com.install-event-fired", true);
Line Found : user_pref("extensions.searchpredict@speedbit.com.install-event-fired", true);
Line Found : user_pref("keyword.URL", "hxxp://go.speedbit.com/search.aspx?s=DCDaya1&q=");
Line Found : user_pref("plugin.state.npconduitfirefoxplugin", 2);
Line Found : user_pref("speedbitvideodownloader.Var1", "0");
Line Found : user_pref("speedbitvideodownloader.Var10", "0");
Line Found : user_pref("speedbitvideodownloader.Var2", "0");
Line Found : user_pref("speedbitvideodownloader.Var3", "0");
Line Found : user_pref("speedbitvideodownloader.Var4", "0");
Line Found : user_pref("speedbitvideodownloader.Var5", "0");
Line Found : user_pref("speedbitvideodownloader.Var6", "0");
Line Found : user_pref("speedbitvideodownloader.Var7", "0");
Line Found : user_pref("speedbitvideodownloader.Var8", "0");
Line Found : user_pref("speedbitvideodownloader.Var9", "0");
Line Found : user_pref("speedbitvideodownloader.cache.tbs_include_xml_spd", "50/19/14/11/113");
Line Found : user_pref("speedbitvideodownloader.firstlaunch", "0");
Line Found : user_pref("speedbitvideodownloader.guid", "%7B9C840AED-D7AB-FA4E-6529-877B571B49C7%7D");
Line Found : user_pref("speedbitvideodownloader.userId", "%12");
Line Found : user_pref("speedbitvideodownloader_installed_version", "3.2.0");

[ File : C:\Documents and Settings\SysDeity\Application Data\Mozilla\Firefox\Profiles\yp7vkyu5.default\prefs.js ]

[ File : C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\2ldyclno.default\prefs.js ]

[ File : C:\Documents and Settings\Rondel\Application Data\Mozilla\Firefox\Profiles\edx951o7.default\prefs.js ]

[ File : C:\Documents and Settings\Rondel\Application Data\Mozilla\Firefox\Profiles\s8co2bdt.default\prefs.js ]

[ File : C:\Documents and Settings\Web Access\Application Data\Mozilla\Firefox\Profiles\bh8pjn5h.default\prefs.js ]

[ File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\edx951o7.default\prefs.js ]

-\\ Google Chrome v31.0.1650.63

[ File : C:\Documents and Settings\Katie\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]


AdwCleaner[R0].txt - [42231 octets] - [09/10/2013 07:48:27]
AdwCleaner[R1].txt - [26918 octets] - [12/01/2014 06:54:53]
AdwCleaner[S0].txt - [43446 octets] - [09/10/2013 14:49:24]

########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [27040 octets] ##########

#9 nasdaq


  • Malware Response Team
  • 38,971 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:47 AM

Posted 12 January 2014 - 09:18 AM

I suggest you remove all the items found by the AdwCleaner tool.

You will miss nothing and your computer's performance should increase.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users