Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG Reports 24 IRP Hook Rootkits


  • This topic is locked This topic is locked
59 replies to this topic

#1 laxoole

laxoole

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 24 January 2014 - 06:58 AM

Hello,

 

I had this problem for a very long time. I had lent my flash disk to a friend and by the time I received it, the files inside were converted to a shortcut. Unknowingly, I clicked on this shortcut and it lead to this dilemma I am experiencing until now.

 

I don't know if it is the main cause of the problem but because of this, AVG showed 24 rootkit infections. And by this time, I can no longer use my USB ports. Every time I plug a flash disk, all its files turn into shortcuts and when I bought a new usb keyboard and usb mouse, the system doesn't seem to recognize it.

 

I already tried a few methods I've searched, but to no avail, it is still there.

 

Please help, I really want to use my USB ports again.

 

Thanks in advance

 

BTW, I read this two logs prior in posting this thread, ,  http://www.bleepingcomputer.com/forums/t/506739/irp-hooks-detected-by-avg-free-false-positives-or-real-problems/  and http://www.bleepingcomputer.com/forums/t/506739/irp-hooks-detected-by-avg-free-false-positives-or-real-problems/

 

 

Here are the logs:

 

AVG SCAN RESULTS:

 

Name;"Description";"Result";"Status";"Priority"                                 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS;"IRP hook, C:\WINDOWS\System32\drivers\disk.sys IRP_MJ_POWER -> CLASSPNP.SYS ClassForwardIrpSynchronous+0xD8";"Infected";"Infected";"Medium"   C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS;"IRP hook, C:\WINDOWS\System32\drivers\disk.sys IRP_MJ_WRITE -> CLASSPNP.SYS ClassCompleteRequest+0x13C";"Infected";"Infected";"Medium"   C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS;"IRP hook, C:\WINDOWS\system32\DRIVERS\hidusb.sys IRP_MJ_CLOSE -> HIDCLASS.SYS +0x1902";"Infected";"Infected";"Medium"       C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS;"IRP hook, C:\WINDOWS\system32\DRIVERS\hidusb.sys IRP_MJ_CREATE -> HIDCLASS.SYS +0x1902";"Infected";"Infected";"Medium"       C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS;"IRP hook, C:\WINDOWS\System32\drivers\disk.sys IRP_MJ_SYSTEM_CONTROL -> CLASSPNP.SYS ClassInitialize+0x666";"Infected";"Infected";"Medium"   C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS;"IRP hook, C:\WINDOWS\System32\drivers\pciide.sys IRP_MJ_PNP -> PCIIDEX.SYS PciIdeXDebugPrint+0x2D80";"Infected";"Infected";"Medium"     C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS;"IRP hook, C:\WINDOWS\system32\DRIVERS\hidusb.sys IRP_MJ_INTERNAL_DEVICE_CONTROL -> HIDCLASS.SYS +0x1902";"Infected";"Infected";"Medium"   C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS;"IRP hook, C:\WINDOWS\system32\DRIVERS\hidusb.sys IRP_MJ_SYSTEM_CONTROL -> HIDCLASS.SYS +0x1902";"Infected";"Infected";"Medium"     C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS;"IRP hook, C:\WINDOWS\System32\drivers\pciide.sys IRP_MJ_SYSTEM_CONTROL -> PCIIDEX.SYS PciIdeXDebugPrint+0x2DB4";"Infected";"Infected";"Medium"   C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS;"IRP hook, C:\WINDOWS\system32\DRIVERS\hidusb.sys IRP_MJ_DEVICE_CONTROL -> HIDCLASS.SYS +0x1902";"Infected";"Infected";"Medium"     C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS;"IRP hook, C:\WINDOWS\system32\DRIVERS\hidusb.sys IRP_MJ_POWER -> HIDCLASS.SYS +0x1902";"Infected";"Infected";"Medium"       C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS;"IRP hook, C:\WINDOWS\System32\drivers\disk.sys IRP_MJ_CREATE -> CLASSPNP.SYS ClassDebugPrint+0x618";"Infected";"Infected";"Medium"     C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS;"IRP hook, C:\WINDOWS\System32\drivers\disk.sys IRP_MJ_PNP -> CLASSPNP.SYS ClassDebugPrint+0x6FB";"Infected";"Infected";"Medium"     C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS;"IRP hook, C:\WINDOWS\System32\drivers\pciide.sys IRP_MJ_INTERNAL_DEVICE_CONTROL -> PCIIDEX.SYS PciIdeXDebugPrint+0x2E38";"Infected";"Infected";"Medium" C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS;"IRP hook, C:\WINDOWS\System32\drivers\disk.sys IRP_MJ_CLOSE -> CLASSPNP.SYS ClassDebugPrint+0x618";"Infected";"Infected";"Medium"     C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS;"IRP hook, C:\WINDOWS\System32\drivers\disk.sys IRP_MJ_SHUTDOWN -> CLASSPNP.SYS ClassIoComplete+0xEF";"Infected";"Infected";"Medium"     C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS;"IRP hook, C:\WINDOWS\System32\drivers\pciide.sys IRP_MJ_POWER -> PCIIDEX.SYS +0x692";"Infected";"Infected";"Medium"         C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS;"IRP hook, C:\WINDOWS\System32\drivers\disk.sys IRP_MJ_DEVICE_CONTROL -> CLASSPNP.SYS ClassIoComplete+0x1C8";"Infected";"Infected";"Medium"   C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS;"IRP hook, C:\WINDOWS\System32\drivers\disk.sys IRP_MJ_FLUSH_BUFFERS -> CLASSPNP.SYS ClassIoComplete+0xEF";"Infected";"Infected";"Medium"   C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS;"IRP hook, C:\WINDOWS\system32\DRIVERS\hidusb.sys IRP_MJ_PNP -> HIDCLASS.SYS +0x1902";"Infected";"Infected";"Medium"       C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS;"IRP hook, C:\WINDOWS\system32\DRIVERS\hidusb.sys IRP_MJ_READ -> HIDCLASS.SYS +0x1902";"Infected";"Infected";"Medium"       C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS;"IRP hook, C:\WINDOWS\System32\drivers\disk.sys IRP_MJ_READ -> CLASSPNP.SYS ClassCompleteRequest+0x13C";"Infected";"Infected";"Medium"   C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS;"IRP hook, C:\WINDOWS\system32\DRIVERS\hidusb.sys IRP_MJ_WRITE -> HIDCLASS.SYS +0x1902";"Infected";"Infected";"Medium"      

C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS;"IRP hook, C:\WINDOWS\System32\drivers\disk.sys IRP_MJ_INTERNAL_DEVICE_CONTROL -> CLASSPNP.SYS ClassInternalIoControl";"Infected";"Infected";"Medium"

 

 

 

DDS log
 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.25.2
Run by User 1 at 19:50:16 on 2014-01-24
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1023.242 [GMT 8:00]
.
AV: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Yahoo!\Search Protection\YspService.exe
C:\Documents and Settings\User 1\Application Data\BitTorrent\BitTorrent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
dURLSearchHooks: {D8278076-BC68-4484-9233-6E7F1628B56C} - <orphaned>
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Yahooo Search Protection: {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\YspService.exe
uRun: [BitTorrent] "c:\documents and settings\user 1\application data\bittorrent\BitTorrent.exe"  /MINIMIZED
uRun: [GarenaPlus] "d:\program files\garena plus\GarenaMessenger.exe" -autolaunch
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Ulead AutoDetector v2] c:\program files\common files\ulead systems\autodetector\monitor.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Nikon Message Center 2] c:\program files\nikon\nikon message center 2\NkMC2.exe -s
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG_UI] "d:\program files\avg\avg2014\avgui.exe" /TRAYONLY
mRun: [Corel Photo Downloader] "c:\program files\corel\corel mediaone\Corel Photo Downloader.exe" -startup
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\user1~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\user1~1\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: &Download All using 4shared Desktop - c:\program files\4shared desktop\down_all.htm
IE: Download with Xilisoft YouTube Video Converter - c:\program files\xilisoft\youtube video converter\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{34D36D7F-C2E6-4277-B481-FE3AD632E8FA} : DHCPNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - 
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user 1\application data\mozilla\firefox\profiles\07jdsf4t.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.ftp - 114.108.196.244
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.http - 114.108.196.244
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 114.108.196.244
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 114.108.196.244
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\user 1\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\user 1\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\user 1\local settings\application data\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\documents and settings\user 1\local settings\application data\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\documents and settings\user 1\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_170.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: d:\program files\garena plus\bbtalk\plugins\npplugin\npGarenaTalkPlugin.dll
FF - ExtSQL: !HIDDEN! 2009-12-16 18:26; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 145720]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2012-9-21 223032]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 102200]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 27448]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [2013-8-1 120120]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 209208]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 22840]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 176952]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 193848]
R2 AVGIDSAgent;AVGIDSAgent;d:\program files\avg\avg2014\avgidsagent.exe [2013-11-11 3478544]
R2 avgwd;AVG WatchDog;d:\program files\avg\avg2014\avgwdsvc.exe [2013-9-24 348008]
S0 cerc6;cerc6; [x]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2012-6-17 77624]
S3 GGSAFERDriver;GGSAFER Driver;\??\d:\program files\garena plus\room\safedrv.sys --> d:\program files\garena plus\room\safedrv.sys [?]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys [2010-7-29 25112]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2014-1-23 40776]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2012-6-17 181432]
S3 ssudobex;SAMSUNG Mobile USB OBEX Serial Port(DEVGURU Ver.);c:\windows\system32\drivers\ssudobex.sys [2012-6-17 181432]
S3 tcpip helper;tcpip helper;\??\d:\program files\garena plus\x86\tcpiphlp.sys --> d:\program files\garena plus\x86\tcpiphlp.sys [?]
.
=============== Created Last 30 ================
.
2014-01-23 18:12:28 -------- d-s---w- C:\uninstall
2014-01-23 18:11:38 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2014-01-23 18:02:43 -------- d-----w- C:\AdwCleaner
2014-01-23 15:24:25 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2014-01-23 14:43:24 -------- d-sha-r- C:\cmdcons
.
==================== Find3M  ====================
.
2013-12-11 13:02:03 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-11 13:02:03 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-11-27 20:21:06 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2013-11-13 02:59:42 150528 ----a-w- c:\windows\system32\imagehlp.dll
2013-11-07 05:38:51 591360 ----a-w- c:\windows\system32\rpcrt4.dll
2013-11-06 01:03:31 7168 ----a-w- c:\windows\system32\xpsp4res.dll
2013-10-30 02:26:17 1879040 ----a-w- c:\windows\system32\win32k.sys
2013-10-29 07:57:34 920064 ----a-w- c:\windows\system32\wininet.dll
2013-10-29 07:57:33 43520 ------w- c:\windows\system32\licmgr10.dll
2013-10-29 07:57:33 18944 ----a-w- c:\windows\system32\corpol.dll
2013-10-29 07:57:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-10-29 00:45:02 385024 ------w- c:\windows\system32\html.iec
.
============= FINISH: 19:51:33.67 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:46 AM

Posted 29 January 2014 - 07:00 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/521928 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 laxoole

laxoole
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 30 January 2014 - 02:39 AM

1. The problem I've faced with my computer is that AVG shows 24 IRP Hook rootkits. I can no longer use my USB drives. The contents of my flash drive all turn into shortcuts. My new USB Keyboard and Mouse is not recognized by my computer.
 
I've performed steps based on these links:
http://www.bleepingcomputer.com/forums/t/506739/irp-hooks-detected-by-avg-free-false-positives-or-real-problems/
http://cocodrilabs.wordpress.com/2012/04/16/virus-my-files-turned-into-shortcuts-solved/
http://www.fixpcyourself.com/irp-hook-rootkit/
 
and it is still there.
 
2. DDS log
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.25.2
Run by User 1 at 15:34:24 on 2014-01-30
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1023.296 [GMT 8:00]
.
AV: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Yahoo!\Search Protection\YspService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
dURLSearchHooks: {D8278076-BC68-4484-9233-6E7F1628B56C} - <orphaned>
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Yahooo Search Protection: {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\YspService.exe
uRun: [BitTorrent] "c:\documents and settings\user 1\application data\bittorrent\BitTorrent.exe"  /MINIMIZED
uRun: [GarenaPlus] "d:\program files\garena plus\GarenaMessenger.exe" -autolaunch
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Ulead AutoDetector v2] c:\program files\common files\ulead systems\autodetector\monitor.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Nikon Message Center 2] c:\program files\nikon\nikon message center 2\NkMC2.exe -s
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG_UI] "d:\program files\avg\avg2014\avgui.exe" /TRAYONLY
mRun: [Corel Photo Downloader] "c:\program files\corel\corel mediaone\Corel Photo Downloader.exe" -startup
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\user1~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\user1~1\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: &Download All using 4shared Desktop - c:\program files\4shared desktop\down_all.htm
IE: Download with Xilisoft YouTube Video Converter - c:\program files\xilisoft\youtube video converter\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{34D36D7F-C2E6-4277-B481-FE3AD632E8FA} : DHCPNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - 
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user 1\application data\mozilla\firefox\profiles\07jdsf4t.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.ftp - 114.108.196.244
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.http - 114.108.196.244
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 114.108.196.244
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 114.108.196.244
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\user 1\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\user 1\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\user 1\local settings\application data\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\documents and settings\user 1\local settings\application data\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\documents and settings\user 1\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_170.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: d:\program files\garena plus\bbtalk\plugins\npplugin\npGarenaTalkPlugin.dll
FF - ExtSQL: !HIDDEN! 2009-12-16 18:26; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 145720]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2012-9-21 223032]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 102200]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 27448]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [2013-8-1 120120]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 209208]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 22840]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 176952]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 193848]
R2 AVGIDSAgent;AVGIDSAgent;d:\program files\avg\avg2014\avgidsagent.exe [2013-11-11 3478544]
R2 avgwd;AVG WatchDog;d:\program files\avg\avg2014\avgwdsvc.exe [2013-9-24 348008]
S0 cerc6;cerc6; [x]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2012-6-17 77624]
S3 GGSAFERDriver;GGSAFER Driver;\??\d:\program files\garena plus\room\safedrv.sys --> d:\program files\garena plus\room\safedrv.sys [?]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys [2010-7-29 25112]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2014-1-23 40776]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2012-6-17 181432]
S3 ssudobex;SAMSUNG Mobile USB OBEX Serial Port(DEVGURU Ver.);c:\windows\system32\drivers\ssudobex.sys [2012-6-17 181432]
S3 tcpip helper;tcpip helper;\??\d:\program files\garena plus\x86\tcpiphlp.sys --> d:\program files\garena plus\x86\tcpiphlp.sys [?]
.
=============== Created Last 30 ================
.
2014-01-23 18:12:28 -------- d-s---w- C:\uninstall
2014-01-23 18:11:38 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2014-01-23 18:02:43 -------- d-----w- C:\AdwCleaner
2014-01-23 15:24:25 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2014-01-23 14:43:24 -------- d-sha-r- C:\cmdcons
.
==================== Find3M  ====================
.
2013-12-11 13:02:03 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-11 13:02:03 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-11-27 20:21:06 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2013-11-13 02:59:42 150528 ----a-w- c:\windows\system32\imagehlp.dll
2013-11-07 05:38:51 591360 ----a-w- c:\windows\system32\rpcrt4.dll
2013-11-06 01:03:31 7168 ----a-w- c:\windows\system32\xpsp4res.dll
.
============= FINISH: 15:35:35.92 ===============
 
 
 
 
 
 
3. No, I do not have my original Windows CD/DVD
 
 
PS I do not have a Winzip program

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,787 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:46 AM

Posted 30 January 2014 - 09:59 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Clean your Flash Drive.

1 - Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
===

Download correct tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

#5 laxoole

laxoole
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 30 January 2014 - 11:49 AM

AVG detects Flash Disinfector as a Trojan, will I just ignore threat? Thank you



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,787 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:46 AM

Posted 30 January 2014 - 02:17 PM

Yes.

#7 laxoole

laxoole
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 31 January 2014 - 05:20 AM

Hello, I had did the first step. When I cleaned my flash drive, my USB Keyboard and Mouse,  USB Speakers, USB cord of the Printer. and my two flash drives are plugged in the drives. However, one infected flash drive still remains. What do I do about it?



#8 laxoole

laxoole
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 31 January 2014 - 05:33 AM

I did the second step.

 

Below is the FRST.txt

 

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 29-01-2014 01

Ran by User 1 (administrator) on PC on 31-01-2014 18:23:54
Running from C:\Documents and Settings\User 1\My Documents\Downloads
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) ===================
 
(ArcSoft Inc.) C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
(Motorola Inc.) C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
(AVG Technologies CZ, s.r.o.) D:\Program Files\AVG\AVG2014\avgwdsvc.exe
(Nero AG) C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
(Nero AG) C:\Program Files\Nero\Nero 7\InCD\InCD.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(Apple Computer, Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Nero AG) C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
(ArcSoft Inc.) C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
(AVG Technologies CZ, s.r.o.) D:\Program Files\AVG\AVG2014\avgui.exe
(ArcSoft Inc.) C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
(Nero AG) C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
(Yahoo! Inc.) C:\Program Files\Yahoo!\Search Protection\YspService.exe
(BitTorrent Inc.) C:\Documents and Settings\User 1\Application Data\BitTorrent\BitTorrent.exe
(Logitech Inc.) C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
() C:\WINDOWS\system32\PSIService.exe
(Yahoo! Inc.) C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Stardock) C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
(Canon Inc.) C:\Program Files\Canon\CAL\CALMAIN.exe
(Nero AG) C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
(Nero AG) C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
(Google Inc.) C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [Ulead AutoDetector v2] - C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe [90112 2006-11-29] (Ulead Systems, Inc.)
HKLM\...\Run: [SMSERIAL] - C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe [638976 2008-03-04] (Motorola Inc.)
HKLM\...\Run: [NvCplDaemon] - C:\WINDOWS\system32\NvCpl.dll [13680640 2009-02-09] (NVIDIA Corporation)
HKLM\...\Run: [nwiz] - nwiz.exe /install
HKLM\...\Run: [NvMediaCenter] - C:\WINDOWS\system32\NvMcTray.dll [86016 2009-02-09] (NVIDIA Corporation)
HKLM\...\Run: [NeroFilterCheck] - C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [153136 2007-03-01] (Nero AG)
HKLM\...\Run: [SecurDisc] - C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe [1629480 2007-06-25] (Nero AG)
HKLM\...\Run: [InCD] - C:\Program Files\Nero\Nero 7\InCD\InCD.exe [1057064 2007-06-25] (Nero AG)
HKLM\...\Run: [GrooveMonitor] - C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [31072 2008-10-25] (Microsoft Corporation)
HKLM\...\Run: [CanonSolutionMenu] - C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [689488 2008-03-11] (CANON INC.)
HKLM\...\Run: [CanonMyPrinter] - C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [1848648 2008-03-04] (CANON INC.)
HKLM\...\Run: [LogitechQuickCamRibbon] - C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe [2793304 2009-10-14] ()
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2010-03-17] (Apple Inc.)
HKLM\...\Run: [Nikon Message Center 2] - C:\Program Files\Nikon\Nikon Message Center 2\NkMC2.exe [619008 2010-05-25] (Nikon Corporation)
HKLM\...\Run: [ArcSoft Connection Service] - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-22] (Adobe Systems Incorporated)
HKLM\...\Run: [AVG_UI] - D:\Program Files\AVG\AVG2014\avgui.exe [4956176 2013-11-07] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [Corel Photo Downloader] - C:\Program Files\Corel\Corel MediaOne\Corel Photo Downloader.exe [483144 2007-08-17] (Corel, Inc.)
HKCU\...\Run: [LightScribe Control Panel] - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2363392 2008-06-09] (Hewlett-Packard Company)
HKCU\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [152872 2007-06-27] (Nero AG)
HKCU\...\Run: [Messenger (Yahoo!)] - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [5244216 2009-11-10] (Yahoo! Inc.)
HKCU\...\Run: [YSearchProtection] - C:\Program Files\Yahoo!\Search Protection\YspService.exe [243000 2010-04-01] (Yahoo! Inc.)
HKCU\...\Run: [BitTorrent] - C:\Documents and Settings\User 1\Application Data\BitTorrent\BitTorrent.exe [900696 2014-01-23] (BitTorrent Inc.)
HKCU\...\Run: [GarenaPlus] - D:\Program Files\Garena Plus\GarenaMessenger.exe [9740080 2013-08-23] ()
HKCU\...\Policies\Explorer: [NoDriveAutoRun] 0xFFFFFFFF
HKU\Administrator\...\RunOnce: [NeroHomeFirstStart] - C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe [ 2007-06-27] (Nero AG)
HKU\Administrator\...\RunOnce: [spchecker] - "C:\Program Files\AVG\AVG10\Notification\SPCheckerTE.exe"
HKU\Default User\...\RunOnce: [NeroHomeFirstStart] - C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe [ 2007-06-27] (Nero AG)
Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
ShortcutTarget: OpenOffice.org 3.1.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
Startup: C:\Documents and Settings\User 1\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk
ShortcutTarget: OpenOffice.org 3.4.1.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
Startup: C:\Documents and Settings\User 1\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
ShortcutTarget: Stardock ObjectDock.lnk -> C:\Program Files\Stardock\ObjectDock\ObjectDock.exe (Stardock)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKLM - {2381E4B7-5C04-459E-9D46-2F9AC1608B66} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
SearchScopes: HKCU - {2381E4B7-5C04-459E-9D46-2F9AC1608B66} URL = http://ph.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}
BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: Yahooo Search Protection - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - C:\Program Files\Yahoo!\Search Protection\ysp.dll (Yahoo! Inc.)
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll No File
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [94208] (Apple Computer, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
 
FireFox:
========
FF ProfilePath: C:\Documents and Settings\User 1\Application Data\Mozilla\Firefox\Profiles\07jdsf4t.default
FF NewTab: about:blank
FF DefaultSearchEngine: Yahoo
FF SearchEngineOrder.1: Ask Search
FF SelectedSearchEngine: Yahoo
FF Homepage: about:home
FF NetworkProxy: "backup.ftp", "114.108.196.244"
FF NetworkProxy: "backup.ftp_port", 3128
FF NetworkProxy: "backup.socks", "114.108.196.244"
FF NetworkProxy: "backup.socks_port", 3128
FF NetworkProxy: "backup.ssl", "114.108.196.244"
FF NetworkProxy: "backup.ssl_port", 3128
FF NetworkProxy: "ftp", "114.108.196.244"
FF NetworkProxy: "ftp_port", 3128
FF NetworkProxy: "http", "114.108.196.244"
FF NetworkProxy: "http_port", 3128
FF NetworkProxy: "share_proxy_settings", true
FF NetworkProxy: "socks", "114.108.196.244"
FF NetworkProxy: "socks_port", 3128
FF NetworkProxy: "ssl", "114.108.196.244"
FF NetworkProxy: "ssl_port", 3128
FF NetworkProxy: "type", 4
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_9_900_170.dll ()
FF Plugin: @java.com/DTPlugin,version=10.25.2 - C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.25.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 - C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF Plugin: @microsoft.com/WPF,version=3.5 - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @t.garena.com/garenatalk - D:\Program Files\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll ( Garena)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @facebook.com/FBPlugin,version=1.0.1 - C:\Documents and Settings\User 1\Application Data\Facebook\npfbplugin_1_0_1.dll ( )
FF Plugin HKCU: @facebook.com/FBPlugin,version=1.0.3 - C:\Documents and Settings\User 1\Application Data\Facebook\npfbplugin_1_0_3.dll ( )
FF Plugin HKCU: @Skype Limited.com/Facebook Video Calling Plugin - C:\Documents and Settings\User 1\Local Settings\Application Data\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 - C:\Documents and Settings\User 1\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll (Apple Inc.)
FF Extension: SelectionLinks - C:\Documents and Settings\User 1\Application Data\Mozilla\Firefox\Profiles\07jdsf4t.default\Extensions\{B3BA93EC-0F2B-462E-AF88-FF1F6D042DE2} [2013-08-06]
FF Extension: Microsoft .NET Framework Assistant - C:\Documents and Settings\User 1\Application Data\Mozilla\Firefox\Profiles\07jdsf4t.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi [2012-02-08]
FF Extension: Address Bar Search - C:\Documents and Settings\User 1\Application Data\Mozilla\Firefox\Profiles\07jdsf4t.default\Extensions\{badea1ae-72ed-4f6a-8c37-4db9a4ac7bc9}.xpi [2013-12-04]
FF Extension: Shine Bright Skin Aero - C:\Documents and Settings\User 1\Application Data\Mozilla\Firefox\Profiles\07jdsf4t.default\Extensions\{c7b3cf78-9cbc-47b9-ba47-bb84a56069dd}.xpi [2011-07-08]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []
 
Chrome: 
=======
CHR HomePage: hxxp://www.google.com
CHR RestoreOnStartup: ""
CHR DefaultSearchKeyword: ph.search.yahoo.com
CHR DefaultSearchProvider: Yahoo!
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\Application\28.0.1500.95\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\Application\28.0.1500.95\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\Application\28.0.1500.95\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll No File
CHR Plugin: (AVG Internet Security) - C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.2161_0\plugins/avgnpss.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (2007 Microsoft Office system) - C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL (Microsoft Corporation)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npdrmv2.dll (Microsoft Corporation)
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npwmsdrm.dll (Microsoft Corporation)
CHR Plugin: (Windows Media Player Plug-in Dynamic Link Library) - C:\Program Files\Windows Media Player\npdsplay.dll (Microsoft Corporation (written by Digital Renaissance Inc.))
CHR Plugin: (Facebook Plugin) - C:\Documents and Settings\User 1\Application Data\Facebook\npfbplugin_1_0_1.dll ( )
CHR Plugin: (Facebook Plugin) - C:\Documents and Settings\User 1\Application Data\Facebook\npfbplugin_1_0_3.dll ( )
CHR Plugin: (Facebook Video Calling Plugin) - C:\Documents and Settings\User 1\Local Settings\Application Data\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
CHR Plugin: (Google Update) - C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Java™ Platform SE 6 U32) - C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.320.5) - C:\WINDOWS\system32\npdeployJava1.dll (Oracle Corporation)
CHR Plugin: (BlackBerry AppWorld) - C:\Program Files\Research In Motion Limited\BlackBerry App World Browser Plugin\npappworld.dll No File
CHR Plugin: (Windows Presentation Foundation) - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Extension: (Angry Birds) - C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj [2011-08-13]
CHR Extension: (FB Refresh) - C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bdlfdaajmclngiomogmleihllaejcnni [2013-09-16]
CHR Extension: (Despicable Me Minions Partying) - C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\eddehnkimbchcgmbpbpmfiomedigjjki [2013-07-31]
CHR Extension: (Cut the Rope) - C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gkddaofiamhgfjmaccfcfpfolpgbeomj [2012-07-24]
CHR Extension: (new metroTab) - C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\oogmkbpkoblajkomflhkkdmbfggdmefd [2013-09-16]
CHR HKLM\...\Chrome\Extension: [jdijlghmdocigbommlafbhndiagfeglg] - C:\Program Files\OApps\chrome-sl.crx [2013-09-16]
CHR HKLM\...\Chrome\Extension: [lkemddiljapcmhicklfpcbpfffahfbja] - C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\User Data\Default\extensions\WebNavigation.crx [2013-09-17]
CHR HKLM\...\Chrome\Extension: [mhfdcmehmjcclgopdodkjdicohagipid] - C:\DOCUME~1\USER1~1\LOCALS~1\Temp\ccex.crx [2013-09-17]
CHR StartMenuInternet: Google Chrome - C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
========================== Services (Whitelisted) =================
 
R2 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
S2 AVGIDSAgent; D:\Program Files\AVG\AVG2014\avgidsagent.exe [3478544 2013-11-11] (AVG Technologies CZ, s.r.o.)
R2 avgwd; D:\Program Files\AVG\AVG2014\avgwdsvc.exe [348008 2013-09-24] (AVG Technologies CZ, s.r.o.)
R2 CCALib8; C:\Program Files\Canon\CAL\CALMAIN.exe [96370 2007-01-31] (Canon Inc.)
S3 IJPLMSVC; C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [103808 2008-01-23] ()
R2 InCDsrv; C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe [1552680 2007-06-25] (Nero AG)
R2 ProtexisLicensing; C:\WINDOWS\system32\PSIService.exe [177704 2007-06-05] ()
 
==================== Drivers (Whitelisted) ====================
 
R1 Avgdiskx; C:\WINDOWS\System32\DRIVERS\avgdiskx.sys [120120 2013-08-01] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\WINDOWS\System32\DRIVERS\avgidsdriverx.sys [209208 2013-09-02] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\WINDOWS\System32\DRIVERS\avgidshx.sys [145720 2013-09-02] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\WINDOWS\System32\DRIVERS\avgidsshimx.sys [22840 2013-09-10] (AVG Technologies CZ, s.r.o.)
R1 Avgldx86; C:\WINDOWS\System32\DRIVERS\avgldx86.sys [176952 2013-09-02] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\WINDOWS\System32\DRIVERS\avglogx.sys [223032 2013-09-02] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\WINDOWS\System32\DRIVERS\avgmfx86.sys [102200 2013-08-20] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\WINDOWS\System32\DRIVERS\avgrkx86.sys [27448 2013-09-08] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\WINDOWS\System32\DRIVERS\avgtdix.sys [193848 2013-08-01] (AVG Technologies CZ, s.r.o.)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-14] (Microsoft Corporation)
S3 FilterService; C:\WINDOWS\System32\DRIVERS\lvuvcflt.sys [23832 2009-10-07] (Logitech Inc.)
R4 InCDfs; C:\WINDOWS\System32\drivers\InCDFs.sys [119080 2007-06-25] (Nero AG)
R1 InCDPass; C:\WINDOWS\System32\drivers\InCDPass.sys [36776 2007-06-25] (Nero AG)
U1 InCDrec; C:\WINDOWS\system32\Drivers\InCDrec.sys [16040 2007-06-25] (Nero AG)
R1 incdrm; C:\WINDOWS\System32\drivers\InCDRm.sys [38440 2007-06-25] (Nero AG)
S3 ivusb; C:\WINDOWS\System32\DRIVERS\ivusb.sys [25112 2010-07-29] (Initio Corporation)
R3 LVPr2Mon; C:\WINDOWS\System32\Drivers\LVPr2Mon.sys [25752 2009-10-07] ()
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\mbamswissarmy.sys [40776 2014-01-23] (Malwarebytes Corporation)
R3 MTsensor; C:\WINDOWS\System32\DRIVERS\ASACPI.sys [5810 2004-08-13] ()
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-14] (Microsoft Corporation)
S3 ssudobex; C:\WINDOWS\System32\DRIVERS\ssudobex.sys [181432 2011-07-20] (DEVGURU Co., LTD.(www.devguru.co.kr))
R3 ULCDRHlp; C:\WINDOWS\System32\Drivers\ULCDRHlp.sys [27392 2004-12-23] (Ulead Systems, Inc.)
S3 catchme; \??\C:\DOCUME~1\USER1~1\LOCALS~1\Temp\catchme.sys [x]
S0 cerc6; No ImagePath
S3 GGSAFERDriver; \??\D:\Program Files\Garena Plus\Room\safedrv.sys [x]
S4 IntelIde; No ImagePath
S3 RimUsb; System32\Drivers\RimUsb.sys [x]
S3 tcpip helper; \??\D:\Program Files\Garena Plus\x86\tcpiphlp.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-01-31 18:23 - 2014-01-31 18:23 - 00000000 ____D C:\FRST
2014-01-28 00:55 - 2014-01-28 00:55 - 77568440 _____ C:\Documents and Settings\User 1\Desktop\Disney's Frozen - _Let It Go_ Multi-Language Full Sequence.mp4
2014-01-24 19:51 - 2014-01-30 15:35 - 00024797 _____ C:\Documents and Settings\User 1\Desktop\attach.txt
2014-01-24 19:51 - 2014-01-30 15:35 - 00012931 _____ C:\Documents and Settings\User 1\Desktop\dds.txt
2014-01-24 19:37 - 2014-01-24 19:37 - 00009034 _____ C:\Documents and Settings\User 1\My Documents\AVG.csv
2014-01-24 02:12 - 2014-01-24 02:12 - 00000000 ___SD C:\uninstall
2014-01-24 02:11 - 2014-01-24 02:11 - 00012568 _____ (Sysinternals - www.sysinternals.com) C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
2014-01-24 02:02 - 2014-01-24 02:05 - 00000000 ____D C:\AdwCleaner
2014-01-23 23:24 - 2014-01-23 23:31 - 00040776 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2014-01-23 23:14 - 2014-01-23 23:14 - 00050294 _____ C:\ComboFix.txt
2014-01-23 22:43 - 2014-01-23 22:43 - 00000000 _RSHD C:\cmdcons
2014-01-23 22:43 - 2009-12-03 17:23 - 00000211 _____ C:\Boot.bak
2014-01-23 22:43 - 2004-08-03 23:00 - 00260272 __RSH C:\cmldr
2014-01-23 22:33 - 2014-01-24 02:12 - 00000000 ____D C:\WINDOWS\erdnt
2014-01-23 22:24 - 2014-01-24 18:49 - 00000512 _____ C:\Documents and Settings\User 1\Desktop\MBR.dat
2014-01-23 17:32 - 2014-01-23 17:32 - 00000860 _____ C:\Documents and Settings\User 1\Start Menu\BitTorrent.lnk
2014-01-16 00:56 - 2014-01-16 00:56 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2914368$
2014-01-16 00:55 - 2014-01-16 00:56 - 00005248 _____ C:\WINDOWS\KB2914368.log
 
==================== One Month Modified Files and Folders =======
 
2014-01-31 18:24 - 2009-12-03 17:26 - 01172638 _____ C:\WINDOWS\WindowsUpdate.log
2014-01-31 18:23 - 2014-01-31 18:23 - 00000000 ____D C:\FRST
2014-01-31 18:22 - 2012-04-01 11:56 - 00000000 ____D C:\Documents and Settings\User 1\Application Data\BitTorrent
2014-01-31 18:21 - 2012-05-13 19:59 - 00000000 ____D C:\Documents and Settings\User 1\Application Data\GarenaPlus
2014-01-31 18:21 - 2012-05-13 19:59 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\GarenaMessenger
2014-01-31 18:20 - 2010-10-16 17:22 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\MFAData
2014-01-31 18:17 - 2008-04-14 20:00 - 00013646 _____ C:\WINDOWS\system32\wpa.dbl
2014-01-31 18:16 - 2010-09-20 19:08 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2014-01-31 18:16 - 2009-12-04 01:18 - 00000159 _____ C:\WINDOWS\wiadebug.log
2014-01-31 18:16 - 2009-12-04 01:18 - 00000049 _____ C:\WINDOWS\wiaservc.log
2014-01-31 18:16 - 2009-12-03 17:54 - 00210919 _____ C:\WINDOWS\system32\nvapps.xml
2014-01-31 18:16 - 2009-12-03 17:29 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2014-01-31 18:14 - 2009-12-03 17:29 - 00032328 _____ C:\WINDOWS\SchedLgU.Txt
2014-01-31 18:10 - 2009-12-13 14:58 - 00000000 ____D C:\Documents and Settings\User 1
2014-01-31 17:58 - 2010-09-20 19:08 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2014-01-31 17:57 - 2013-05-18 17:19 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2014-01-31 00:49 - 2012-03-03 09:35 - 00001002 _____ C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-515967899-1450960922-1801674531-1003UA.job
2014-01-31 00:49 - 2010-12-10 16:27 - 00000982 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-1450960922-1801674531-1003UA.job
2014-01-30 15:43 - 2010-02-02 19:19 - 00984576 ___SH C:\Documents and Settings\User 1\Desktop\Thumbs.db
2014-01-30 15:35 - 2014-01-24 19:51 - 00024797 _____ C:\Documents and Settings\User 1\Desktop\attach.txt
2014-01-30 15:35 - 2014-01-24 19:51 - 00012931 _____ C:\Documents and Settings\User 1\Desktop\dds.txt
2014-01-29 13:49 - 2010-12-10 16:27 - 00000930 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-1450960922-1801674531-1003Core.job
2014-01-28 19:51 - 2009-12-03 17:29 - 00000000 __SHD C:\Documents and Settings\NetworkService
2014-01-28 19:05 - 2010-01-08 21:31 - 00000000 ____D C:\Documents and Settings\User 1\Application Data\vlc
2014-01-28 00:55 - 2014-01-28 00:55 - 77568440 _____ C:\Documents and Settings\User 1\Desktop\Disney's Frozen - _Let It Go_ Multi-Language Full Sequence.mp4
2014-01-28 00:55 - 2009-12-22 10:43 - 00000069 _____ C:\WINDOWS\NeroDigital.ini
2014-01-27 02:24 - 2009-12-13 15:10 - 00065536 _____ C:\WINDOWS\system32\config\ODiag.evt
2014-01-24 19:37 - 2014-01-24 19:37 - 00009034 _____ C:\Documents and Settings\User 1\My Documents\AVG.csv
2014-01-24 18:49 - 2014-01-23 22:24 - 00000512 _____ C:\Documents and Settings\User 1\Desktop\MBR.dat
2014-01-24 02:18 - 2012-02-04 19:54 - 00050114 _____ C:\WINDOWS\DPINST.LOG
2014-01-24 02:12 - 2014-01-24 02:12 - 00000000 ___SD C:\uninstall
2014-01-24 02:12 - 2014-01-23 22:33 - 00000000 ____D C:\WINDOWS\erdnt
2014-01-24 02:11 - 2014-01-24 02:11 - 00012568 _____ (Sysinternals - www.sysinternals.com) C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
2014-01-24 02:07 - 2013-11-13 14:26 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2868626$
2014-01-24 02:05 - 2014-01-24 02:02 - 00000000 ____D C:\AdwCleaner
2014-01-24 00:54 - 2012-09-27 22:00 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\YTD Video Downloader
2014-01-24 00:54 - 2011-08-21 12:39 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\YouTube Downloader
2014-01-23 23:31 - 2014-01-23 23:24 - 00040776 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2014-01-23 23:14 - 2014-01-23 23:14 - 00050294 _____ C:\ComboFix.txt
2014-01-23 23:08 - 2008-04-14 20:00 - 00000227 _____ C:\WINDOWS\system.ini
2014-01-23 22:43 - 2014-01-23 22:43 - 00000000 _RSHD C:\cmdcons
2014-01-23 22:43 - 2009-12-04 01:13 - 00000327 __RSH C:\boot.ini
2014-01-23 17:43 - 2010-01-08 21:43 - 00000000 ____D C:\Documents and Settings\User 1\Desktop\Icons
2014-01-23 17:32 - 2014-01-23 17:32 - 00000860 _____ C:\Documents and Settings\User 1\Start Menu\BitTorrent.lnk
2014-01-23 17:32 - 2012-04-01 11:57 - 00000000 ____D C:\Program Files\BitTorrent
2014-01-22 23:56 - 2013-08-17 23:42 - 00000000 ____D C:\Program Files\Mozilla Firefox
2014-01-19 11:14 - 2009-12-13 14:58 - 00000178 ___SH C:\Documents and Settings\User 1\ntuser.ini
2014-01-19 11:04 - 2010-01-01 10:31 - 00837390 ___SH C:\Documents and Settings\User 1\My Documents\Thumbs.db
2014-01-16 00:56 - 2014-01-16 00:56 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2914368$
2014-01-16 00:56 - 2014-01-16 00:55 - 00005248 _____ C:\WINDOWS\KB2914368.log
2014-01-16 00:56 - 2009-12-04 01:15 - 01892147 _____ C:\WINDOWS\FaxSetup.log
2014-01-16 00:56 - 2009-12-04 01:15 - 01245520 _____ C:\WINDOWS\iis6.log
2014-01-16 00:56 - 2009-12-04 01:15 - 00932649 _____ C:\WINDOWS\ocgen.log
2014-01-16 00:56 - 2009-12-04 01:15 - 00877620 _____ C:\WINDOWS\tsoc.log
2014-01-16 00:56 - 2009-12-04 01:15 - 00643583 _____ C:\WINDOWS\comsetup.log
2014-01-16 00:56 - 2009-12-04 01:15 - 00593068 _____ C:\WINDOWS\msmqinst.log
2014-01-16 00:56 - 2009-12-04 01:15 - 00390507 _____ C:\WINDOWS\ntdtcsetup.log
2014-01-16 00:56 - 2009-12-04 01:15 - 00334053 _____ C:\WINDOWS\netfxocm.log
2014-01-16 00:56 - 2009-12-04 01:15 - 00132186 _____ C:\WINDOWS\MedCtrOC.log
2014-01-16 00:56 - 2009-12-04 01:15 - 00105803 _____ C:\WINDOWS\ocmsn.log
2014-01-16 00:56 - 2009-12-04 01:15 - 00095550 _____ C:\WINDOWS\msgsocm.log
2014-01-16 00:56 - 2009-12-04 01:15 - 00095527 _____ C:\WINDOWS\tabletoc.log
2014-01-16 00:56 - 2009-12-04 01:15 - 00001374 _____ C:\WINDOWS\imsins.log
 
Some content of TEMP:
====================
C:\Documents and Settings\User 1\Local Settings\Temp\Quarantine.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\WINDOWS\explorer.exe => MD5 is legit
C:\WINDOWS\system32\winlogon.exe => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\User32.dll => MD5 is legit
C:\WINDOWS\system32\userinit.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\volsnap.sys => MD5 is legit
 
==================== End Of Log ============================

Attached Files



#9 laxoole

laxoole
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 31 January 2014 - 05:36 AM

Oh, btw, just informing you, after I've did the first step, I immediately safely removed the attached flash drives and then proceeded in doing the second step



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,787 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:46 AM

Posted 31 January 2014 - 10:28 AM

However, one infected flash drive still remains. What do I do about it?

Will have to look at this later.

This Chrome extension
CHR HKLM\...\Chrome\Extension: [lkemddiljapcmhicklfpcbpfffahfbja] - C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\User Data\Default\extensions\WebNavigation.crx [2013-09-17]
is related to Related to USB Disk Security from ZBShareware
Topic: http://www.systemlookup.com/search.php?type=filename&client=malwaresearch-chrome&search=USBGuard.exe

Did you install this application recently?
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

SearchScopes: HKLM - DefaultScope value is missing.
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

end

Save the files as fixlist.txt in to the same folder as FRST
Run FRST and click Fix only once and wait
The tool will create a log (Fixlog.txt) please post it to your reply.

Restart the computer normally.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Uncheck the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
p.s. From what I see in your FRST log I suggest you clean everything that will be found.
===

Please post the logs and let me know what problem persists.

#11 laxoole

laxoole
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 31 January 2014 - 11:27 AM

Re: USB - Ok
 
Re: Extension - No, I installed that application a few months ago, thinking that it can help cure my infected flash drives, I download the app on October 26. I forgot when I uninstalled it.
 
Here is the log created by AdwCleaner.
 
# AdwCleaner v3.018 - Report created 01/02/2014 at 00:20:41
# Updated 28/01/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : User 1 - PC
# Running from : C:\Documents and Settings\User 1\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v8.0.6001.18702
 
 
-\\ Mozilla Firefox v22.0 (en-US)
 
[ File : C:\Documents and Settings\User 1\Application Data\Mozilla\Firefox\Profiles\07jdsf4t.default\prefs.js ]
 
 
[ File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\g5v56341.default\prefs.js ]
 
 
-\\ Google Chrome v
 
[ File : C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [34210 octets] - [24/01/2014 02:02:59]
AdwCleaner[R1].txt - [1195 octets] - [01/02/2014 00:19:05]
AdwCleaner[S0].txt - [34656 octets] - [24/01/2014 02:04:48]
AdwCleaner[S1].txt - [1117 octets] - [01/02/2014 00:20:41]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1177 octets] ##########
 


#12 laxoole

laxoole
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 31 January 2014 - 11:28 AM

Just to inform you, this is the second time I did an AdwCleaner Scan

 

here is the log of the first one:

 

# AdwCleaner v3.017 - Report created 24/01/2014 at 02:04:48
# Updated 12/01/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : User 1 - PC
# Running from : C:\Documents and Settings\User 1\My Documents\Downloads\adwcleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
Service Deleted : APNMCP
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Documents and Settings\All Users\Application Data\apn
Folder Deleted : C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Trymedia
Folder Deleted : C:\Program Files\AskPartnerNetwork
Folder Deleted : C:\Program Files\AVG Secure Search
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\OApps
Folder Deleted : C:\Program Files\Web Cake
Folder Deleted : C:\Program Files\Common Files\Spigot
Folder Deleted : C:\Documents and Settings\User 1\Local Settings\Application Data\apn
Folder Deleted : C:\Documents and Settings\User 1\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\User 1\Application Data\Mozilla\Firefox\Profiles\07jdsf4t.default\Conduit
Folder Deleted : C:\Documents and Settings\User 1\Application Data\Mozilla\Firefox\Profiles\07jdsf4t.default\ConduitCommon
Folder Deleted : C:\Documents and Settings\User 1\Application Data\Mozilla\Firefox\Profiles\07jdsf4t.default\CT2790392
Folder Deleted : C:\Documents and Settings\User 1\Application Data\Mozilla\Firefox\Profiles\07jdsf4t.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
Folder Deleted : C:\Documents and Settings\User 1\Application Data\Mozilla\Firefox\Profiles\07jdsf4t.default\Extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
File Deleted : C:\Documents and Settings\User 1\Application Data\Mozilla\Firefox\Profiles\07jdsf4t.default\searchplugins\Askcom.xml
File Deleted : C:\Documents and Settings\User 1\Application Data\Mozilla\Firefox\Profiles\07jdsf4t.default\searchplugins\ask-search.xml
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
File Deleted : C:\Documents and Settings\User 1\Application Data\Mozilla\Firefox\Profiles\07jdsf4t.default\searchplugins\Conduit.xml
File Deleted : C:\Documents and Settings\User 1\Application Data\Mozilla\Firefox\Profiles\07jdsf4t.default\searchplugins\Web Search.xml
File Deleted : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\g5v56341.default\searchplugins\Web Search.xml
File Deleted : C:\Documents and Settings\User 1\Application Data\Mozilla\Firefox\Profiles\07jdsf4t.default\user.js
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\eiimolhnbbbdagljikeckdkldgemmmlj
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\MenuExt\Translate this web page with Babylon
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\MenuExt\Translate with Babylon
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\4shared Tools
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnTbMon]
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2233703
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2463487
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2790392
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A1F1ECD3-4806-44C6-A869-F0DADF11C57C}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7854F00C-DC77-477E-A10E-603F48442D3B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4250488A-CB24-0893-C066-B1AEA57BCFF2}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{AE07101B-46D4-4A98-AF68-0333EA26E113}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\AskPartnerNetwork
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Myfree Codec
Key Deleted : HKCU\Software\PIP
Key Deleted : HKCU\Software\AppDataLow\Software\Search Settings
Key Deleted : HKLM\Software\AskPartnerNetwork
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Myfree Codec
Key Deleted : HKLM\Software\PIP
Key Deleted : HKLM\Software\TENCENT
Key Deleted : HKLM\Software\Trymedia Systems
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IM
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\IM
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ShoppingReport2
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\00E944CB89111313EAF35A0553F547F9
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\53F55AF3F4049ED3FA6EA6F88E414E24
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\68E4BF4B11615E03C97732FD581AB607
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8CE3DDAB2D152683FBCEB4866BCD2B0F
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AF6CE16AFEA5C9A39B766468A8B35C21
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FB1E44269B58F433A8C8E671E37CFDCF
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v8.0.6001.18702
 
Setting Restored : HKCU\Software\Microsoft\Internet Explorer\SearchUrl [Default]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchUrl [Default]
 
-\\ Mozilla Firefox v22.0 (en-US)
 
[ File : C:\Documents and Settings\User 1\Application Data\Mozilla\Firefox\Profiles\07jdsf4t.default\prefs.js ]
 
Line Deleted : user_pref("CT2463487.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
Line Deleted : user_pref("CT2463487.CTID", "CT2463487");
Line Deleted : user_pref("CT2463487.CurrentServerDate", "3-6-2010");
Line Deleted : user_pref("CT2463487.DialogsAlignMode", "LTR");
Line Deleted : user_pref("CT2463487.EMailNotifierPollDate", "Thu Jun 03 2010 09:21:38 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2463487.FirstServerDate", "2-6-2010");
Line Deleted : user_pref("CT2463487.FirstTime", true);
Line Deleted : user_pref("CT2463487.FirstTimeFF3", true);
Line Deleted : user_pref("CT2463487.FixPageNotFoundErrors", true);
Line Deleted : user_pref("CT2463487.GroupingServerCheckInterval", 1440);
Line Deleted : user_pref("CT2463487.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
Line Deleted : user_pref("CT2463487.Initialize", true);
Line Deleted : user_pref("CT2463487.InitializeCommonPrefs", true);
Line Deleted : user_pref("CT2463487.InstalledDate", "Wed Jun 02 2010 23:30:31 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2463487.InvalidateCache", false);
Line Deleted : user_pref("CT2463487.IsGrouping", false);
Line Deleted : user_pref("CT2463487.IsMulticommunity", false);
Line Deleted : user_pref("CT2463487.IsOpenThankYouPage", false);
Line Deleted : user_pref("CT2463487.IsOpenUninstallPage", true);
Line Deleted : user_pref("CT2463487.LanguagePackLastCheckTime", "Wed Jun 02 2010 23:30:35 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2463487.LanguagePackReloadIntervalMM", 1440);
Line Deleted : user_pref("CT2463487.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx");
Line Deleted : user_pref("CT2463487.LastLogin_2.5.6.0", "Thu Jun 03 2010 09:21:37 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2463487.LatestVersion", "2.1.0.18");
Line Deleted : user_pref("CT2463487.Locale", "en");
Line Deleted : user_pref("CT2463487.LoginCache", 4);
Line Deleted : user_pref("CT2463487.MCDetectTooltipHeight", "83");
Line Deleted : user_pref("CT2463487.MCDetectTooltipUrl", "hxxp://@EB_INSTALL_LINK@/rank/tooltip/?version=1");
Line Deleted : user_pref("CT2463487.MCDetectTooltipWidth", "295");
Line Deleted : user_pref("CT2463487.RadioIsPodcast", false);
Line Deleted : user_pref("CT2463487.RadioLastCheckTime", "Wed Jun 02 2010 23:30:35 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2463487.RadioLastUpdateIPServer", "3");
Line Deleted : user_pref("CT2463487.RadioLastUpdateServer", "129042273303200000");
Line Deleted : user_pref("CT2463487.RadioMediaID", "13027686");
Line Deleted : user_pref("CT2463487.RadioMediaType", "Media Player");
Line Deleted : user_pref("CT2463487.RadioMenuSelectedID", "EBRadioMenu_CT246348713027686");
Line Deleted : user_pref("CT2463487.RadioStationName", "ckln.fm");
Line Deleted : user_pref("CT2463487.RadioStationURL", "hxxp://141.117.225.9:8000");
Line Deleted : user_pref("CT2463487.SHRINK_TOOLBAR", 1);
Line Deleted : user_pref("CT2463487.SavedHomepage", "hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official");
Line Deleted : user_pref("CT2463487.SearchEngine", "Search||hxxp://search.conduit.com/Results.aspx?q=UCM_SEARCH_TERM&ctid=CT2463487&octid=EB_ORIGINAL_CTID&SearchSource=1");
Line Deleted : user_pref("CT2463487.SearchFromAddressBarIsInit", true);
Line Deleted : user_pref("CT2463487.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2463487&q=");
Line Deleted : user_pref("CT2463487.SearchInNewTabEnabled", true);
Line Deleted : user_pref("CT2463487.SearchInNewTabIntervalMM", 1440);
Line Deleted : user_pref("CT2463487.SearchInNewTabLastCheckTime", "Wed Jun 02 2010 23:30:33 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2463487.SearchInNewTabServiceUrl", "hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_TOOLBAR_ID");
Line Deleted : user_pref("CT2463487.SearchInNewTabUsageUrl", "hxxp://Usage.Hosting.conduit-services.com/UsageService.asmx/UsersRequests?ctid=EB_TOOLBAR_ID");
Line Deleted : user_pref("CT2463487.SettingsCheckIntervalMin", 120);
Line Deleted : user_pref("CT2463487.SettingsLastCheckTime", "Thu Jun 03 2010 09:21:34 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2463487.SettingsLastUpdate", "1275228323");
Line Deleted : user_pref("CT2463487.ThirdPartyComponentsInterval", 504);
Line Deleted : user_pref("CT2463487.ThirdPartyComponentsLastCheck", "Wed Jun 02 2010 23:30:27 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2463487.ThirdPartyComponentsLastUpdate", "1275228323");
Line Deleted : user_pref("CT2463487.TrusteLinkUrl", "hxxp://www.truste.org/pvr.php?page=validate&softwareProgramId=101&sealid=112");
Line Deleted : user_pref("CT2463487.UserID", "UN43536688480688956");
Line Deleted : user_pref("CT2463487.WeatherNetwork", "");
Line Deleted : user_pref("CT2463487.WeatherPollDate", "Thu Jun 03 2010 09:21:38 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2463487.WeatherUnit", "C");
Line Deleted : user_pref("CT2463487.alertChannelId", "857155");
Line Deleted : user_pref("CT2463487.clientLogIsEnabled", true);
Line Deleted : user_pref("CT2463487.clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.asmx/ReportDiagnosticsEvent");
Line Deleted : user_pref("CT2463487.myStuffEnabled", true);
Line Deleted : user_pref("CT2463487.myStuffPublihserMinWidth", 400);
Line Deleted : user_pref("CT2463487.myStuffSearchUrl", "hxxp://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOrigin=29&ctid=EB_TOOLBAR_ID&octid=EB_ORIGINAL_CTID");
Line Deleted : user_pref("CT2463487.myStuffServiceIntervalMM", 1440);
Line Deleted : user_pref("CT2463487.myStuffServiceUrl", "hxxp://mystuff.conduit-services.com/MyStuffService.ashx?ComponentId=EB_MY_STUFF_INSTANCE_GUID&lut=EB_MY_STUFF_LUT");
Line Deleted : user_pref("CT2463487.uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/RegisterToolbarUninstallation");
Line Deleted : user_pref("CT2790392..clientLogIsEnabled", false);
Line Deleted : user_pref("CT2790392..clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.asmx/ReportDiagnosticsEvent");
Line Deleted : user_pref("CT2790392..uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/RegisterToolbarUninstallation");
Line Deleted : user_pref("CT2790392.ALLOW_SHOWING_HIDDEN_TOOLBAR", false);
Line Deleted : user_pref("CT2790392.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
Line Deleted : user_pref("CT2790392.BrowserCompStateIsOpen_129633547190125290", true);
Line Deleted : user_pref("CT2790392.BrowserCompStateIsOpen_130059329278017115", true);
Line Deleted : user_pref("CT2790392.BrowserCompStateIsOpen_1359634298000", true);
Line Deleted : user_pref("CT2790392.CTID", "CT2790392");
Line Deleted : user_pref("CT2790392.CurrentServerDate", "6-8-2013");
Line Deleted : user_pref("CT2790392.DSInstall", false);
Line Deleted : user_pref("CT2790392.DialogsAlignMode", "LTR");
Line Deleted : user_pref("CT2790392.DialogsGetterLastCheckTime", "Fri Aug 02 2013 15:56:05 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.DownloadReferralCookieData", "");
Line Deleted : user_pref("CT2790392.EMailNotifierPollDate", "Thu Mar 22 2012 19:36:02 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.FeedLastCount129313977501788460", 173);
Line Deleted : user_pref("CT2790392.FeedPollDate129313974171006416", "Thu Mar 22 2012 19:36:03 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.FeedPollDate129313975698350231", "Thu Mar 22 2012 19:36:03 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.FeedPollDate129313976370850190", "Thu Mar 22 2012 19:36:03 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.FeedPollDate129313976648818968", "Thu Mar 22 2012 19:36:03 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.FeedPollDate129313977444757117", "Thu Mar 22 2012 19:36:03 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.FeedPollDate129313980389131455", "Thu Mar 22 2012 19:36:03 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.FeedPollDate129313980655381977", "Thu Mar 22 2012 19:36:03 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.FeedPollDate129313980886163259", "Thu Mar 22 2012 19:36:03 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.FeedPollDate129313981234756535", "Thu Mar 22 2012 19:36:03 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.FeedPollDate129313983226631720", "Thu Mar 22 2012 19:36:03 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.FeedPollDate129313983607725691", "Thu Mar 22 2012 19:36:03 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.FeedTTL129313974171006416", 10);
Line Deleted : user_pref("CT2790392.FeedTTL129313977444757117", 15);
Line Deleted : user_pref("CT2790392.FeedTTL129313980655381977", 5);
Line Deleted : user_pref("CT2790392.FeedTTL129313981234756535", 5);
Line Deleted : user_pref("CT2790392.FirstServerDate", "22-3-2012");
Line Deleted : user_pref("CT2790392.FirstTime", true);
Line Deleted : user_pref("CT2790392.FirstTimeFF3", true);
Line Deleted : user_pref("CT2790392.FixPageNotFoundErrors", true);
Line Deleted : user_pref("CT2790392.GroupingServerCheckInterval", 1440);
Line Deleted : user_pref("CT2790392.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
Line Deleted : user_pref("CT2790392.HPInstall", false);
Line Deleted : user_pref("CT2790392.HasUserGlobalKeys", true);
Line Deleted : user_pref("CT2790392.HomePageProtectorEnabled", false);
Line Deleted : user_pref("CT2790392.HomepageBeforeUnload", "about:home");
Line Deleted : user_pref("CT2790392.Initialize", true);
Line Deleted : user_pref("CT2790392.InitializeCommonPrefs", true);
Line Deleted : user_pref("CT2790392.InstallationAndCookieDataSentCount", 3);
Line Deleted : user_pref("CT2790392.InstallationId", "ConduitXPEIntegration");
Line Deleted : user_pref("CT2790392.InstallationType", "ConduitXPEIntegration");
Line Deleted : user_pref("CT2790392.InstalledDate", "Thu Mar 22 2012 09:47:23 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.IsAlertDBUpdated", true);
Line Deleted : user_pref("CT2790392.IsGrouping", false);
Line Deleted : user_pref("CT2790392.IsInitSetupIni", true);
Line Deleted : user_pref("CT2790392.IsMulticommunity", false);
Line Deleted : user_pref("CT2790392.IsOpenThankYouPage", true);
Line Deleted : user_pref("CT2790392.IsOpenUninstallPage", false);
Line Deleted : user_pref("CT2790392.LanguagePackLastCheckTime", "Tue Aug 06 2013 10:57:32 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.LanguagePackReloadIntervalMM", 1440);
Line Deleted : user_pref("CT2790392.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx");
Line Deleted : user_pref("CT2790392.LastLogin_3.10.0.1", "Thu Mar 22 2012 19:36:04 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.LastLogin_3.12.2.3", "Mon Jun 11 2012 22:36:50 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.LastLogin_3.13.0.6", "Sat Jul 21 2012 18:54:34 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.LastLogin_3.14.1.0", "Tue Aug 28 2012 21:02:48 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.LastLogin_3.15.1.0", "Wed Nov 07 2012 09:56:05 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.LastLogin_3.16.0.3", "Fri Jun 21 2013 18:34:42 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.LastLogin_3.18.0.7", "Wed Jul 17 2013 21:01:51 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.LastLogin_3.19.0.3", "Tue Aug 06 2013 20:22:12 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.LatestVersion", "3.19.0.3");
Line Deleted : user_pref("CT2790392.Locale", "en");
Line Deleted : user_pref("CT2790392.MCDetectTooltipHeight", "83");
Line Deleted : user_pref("CT2790392.MCDetectTooltipUrl", "hxxp://@EB_INSTALL_LINK@/rank/tooltip/?version=1");
Line Deleted : user_pref("CT2790392.MCDetectTooltipWidth", "295");
Line Deleted : user_pref("CT2790392.MyStuffEnabledAtInstallation", true);
Line Deleted : user_pref("CT2790392.OriginalFirstVersion", "3.10.0.1");
Line Deleted : user_pref("CT2790392.SearchCaption", "BitTorrentBar Customized Web Search");
Line Deleted : user_pref("CT2790392.SearchEngineBeforeUnload", "Yahoo");
Line Deleted : user_pref("CT2790392.SearchFromAddressBarIsInit", true);
Line Deleted : user_pref("CT2790392.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2790392&SearchSource=2&q=");
Line Deleted : user_pref("CT2790392.SearchInNewTabEnabled", true);
Line Deleted : user_pref("CT2790392.SearchInNewTabIntervalMM", 1440);
Line Deleted : user_pref("CT2790392.SearchInNewTabLastCheckTime", "Tue Aug 06 2013 10:57:28 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.SearchInNewTabServiceUrl", "hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_TOOLBAR_ID&UM=UM_ID");
Line Deleted : user_pref("CT2790392.SearchInNewTabUserEnabled", false);
Line Deleted : user_pref("CT2790392.SearchProtectorEnabled", false);
Line Deleted : user_pref("CT2790392.SearchProtectorToolbarDisabled", true);
Line Deleted : user_pref("CT2790392.SendProtectorDataViaLogin", true);
Line Deleted : user_pref("CT2790392.ServiceMapLastCheckTime", "Tue Aug 06 2013 11:10:01 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.SettingsLastCheckTime", "Tue Aug 06 2013 20:22:04 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.SettingsLastUpdate", "1375776755");
Line Deleted : user_pref("CT2790392.TBHomePageUrl", "hxxp://search.conduit.com/?ctid=CT2790392&SearchSource=13");
Line Deleted : user_pref("CT2790392.ThirdPartyComponentsInterval", 504);
Line Deleted : user_pref("CT2790392.ThirdPartyComponentsLastCheck", "Thu Mar 22 2012 09:47:22 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.ThirdPartyComponentsLastUpdate", "1312887586");
Line Deleted : user_pref("CT2790392.ToolbarDisabled", true);
Line Deleted : user_pref("CT2790392.ToolbarShrinkedFromSetup", false);
Line Deleted : user_pref("CT2790392.TrusteLinkUrl", "hxxp://trust.conduit.com/CT2790392");
Line Deleted : user_pref("CT2790392.TrustedApiDomains", "conduit.com,conduit-hosting.com,conduit-services.com,client.conduit-storage.com,OurToolbar.com,CommunityToolbars.com,ForumToolbar.com,MyBlogToolbar.com,MyCity[...]
Line Deleted : user_pref("CT2790392.UserID", "UN75748525410399157");
Line Deleted : user_pref("CT2790392.WeatherNetwork", "");
Line Deleted : user_pref("CT2790392.WeatherPollDate", "Thu Mar 22 2012 19:36:04 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.WeatherUnit", "C");
Line Deleted : user_pref("CT2790392.alertChannelId", "1182482");
Line Deleted : user_pref("CT2790392.autoDisableScopes", 0);
Line Deleted : user_pref("CT2790392.backendstorage.scriptsource", "687474703A2F2F3132372E302E302E313A31303030302F6775692F");
Line Deleted : user_pref("CT2790392.generalConfigFromLogin", "{\"ApiMaxAlerts\":\"12\",\"SocialDomains\":\"social.conduit.com;apps.conduit.com;services.apps.conduit.com\",\"AppsDetectionUrlPattern\":\"hxxp://appdown[...]
Line Deleted : user_pref("CT2790392.globalFirstTimeInfoLastCheckTime", "Thu Mar 22 2012 09:47:24 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.homepageProtectorEnableByLogin", true);
Line Deleted : user_pref("CT2790392.initDone", true);
Line Deleted : user_pref("CT2790392.isAppTrackingManagerOn", true);
Line Deleted : user_pref("CT2790392.myStuffEnabled", true);
Line Deleted : user_pref("CT2790392.myStuffPublihserMinWidth", 400);
Line Deleted : user_pref("CT2790392.myStuffSearchUrl", "hxxp://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOrigin=29&ctid=EB_TOOLBAR_ID&octid=EB_ORIGINAL_CTID");
Line Deleted : user_pref("CT2790392.myStuffServiceIntervalMM", 1440);
Line Deleted : user_pref("CT2790392.myStuffServiceUrl", "hxxp://mystuff.conduit-services.com/MyStuffService.ashx?ComponentId=EB_MY_STUFF_INSTANCE_GUID&lut=EB_MY_STUFF_LUT");
Line Deleted : user_pref("CT2790392.navigateToUrlOnSearch", false);
Line Deleted : user_pref("CT2790392.revertSettingsEnabled", true);
Line Deleted : user_pref("CT2790392.searchProtectorDialogDelayInSec", 10);
Line Deleted : user_pref("CT2790392.searchProtectorEnableByLogin", true);
Line Deleted : user_pref("CT2790392.testingCtid", "");
Line Deleted : user_pref("CT2790392.toolbarAppMetaDataLastCheckTime", "Tue Aug 06 2013 10:57:31 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.toolbarContextMenuLastCheckTime", "Thu Mar 22 2012 09:47:31 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CT2790392.usagesFlag", 2);
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://Settings.toolbar.search.conduit.com/root/CT2790392/CT2790392", "\"e1be945c66c6164b9d8ca535cc77b6863\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/1182482/1178159/PH", "\"0\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=CT2790392", "\"1361459328\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=GottenApps&locale=en", "wVmmvqqOMqrv5xct1cJIHg==");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=OtherApps&locale=en", "B8Px/Te74hi98N2hb9yOAQ==");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=SharedApps&locale=en", "ktZKgREPsk5m13TY9rsX+A==");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=Toolbar&locale=en", "K4Vqu91uAzWURlxJRdXJOg==");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.alert.conduit-services.com/alert/dlg.pkg", "\"80133a6b165cd1:0\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.10.0.1", "\"801a319dd78ccc1:0\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.12.2.3", "\"4ead38b3e6bcd1:145a\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.13.0.6", "\"04afd94b864cd1:0\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.14.1.0", "\"0e0a4327275cd1:0\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.15.1.0", "\"0343677cfb1cd1:0\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.16.0.3", "\"0343677cfb1cd1:0\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.18.0.7", "\"0343677cfb1cd1:0\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.19.0.3", "\"97e416bb586ce1:0\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://servicemap.conduit-services.com/Toolbar/?ownerId=CT2790392", "\"9971ee9815a5fc569766cf6ddcaaca8e\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=en", "\"87223aa60340be86cb7b2417e03e2208\"");
Line Deleted : user_pref("CommunityToolbar.LatestLibsPath", "file:///C:\\Documents and Settings\\User 1\\Application Data\\Mozilla\\Firefox\\Profiles\\07jdsf4t.default\\conduitCommon\\modules\\3.10.0.1");
Line Deleted : user_pref("CommunityToolbar.LatestToolbarVersionInstalled", "3.10.0.1");
Line Deleted : user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "hxxp://au.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_au&p=");
Line Deleted : user_pref("CommunityToolbar.ToolbarsList", "CT2463487,CT2790392");
Line Deleted : user_pref("CommunityToolbar.ToolbarsList2", "CT2463487,CT2790392");
Line Deleted : user_pref("CommunityToolbar.ToolbarsList4", "CT2790392");
Line Deleted : user_pref("CommunityToolbar.facebook.settingsLastCheckTime", "Thu Mar 22 2012 09:47:26 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CommunityToolbar.globalUserId", "aa787665-0e55-4bfe-b8a3-87b19b263c80");
Line Deleted : user_pref("CommunityToolbar.isAlertUrlAddedToFeedItemTable", true);
Line Deleted : user_pref("CommunityToolbar.isClickActionAddedToFeedItemTable", true);
Line Deleted : user_pref("CommunityToolbar.keywordURLSelectedCTID", "CT2790392");
Line Deleted : user_pref("CommunityToolbar.notifications.alertDialogsGetterLastCheckTime", "Thu Mar 22 2012 09:47:31 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CommunityToolbar.notifications.alertInfoInterval", 1440);
Line Deleted : user_pref("CommunityToolbar.notifications.alertInfoLastCheckTime", "Thu Mar 22 2012 20:36:10 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CommunityToolbar.notifications.clientsServerUrl", "hxxp://alert.client.conduit.com");
Line Deleted : user_pref("CommunityToolbar.notifications.locale", "en");
Line Deleted : user_pref("CommunityToolbar.notifications.loginIntervalMin", 1440);
Line Deleted : user_pref("CommunityToolbar.notifications.loginLastCheckTime", "Thu Mar 22 2012 09:47:21 GMT+0800 (Malay Peninsula Standard Time)");
Line Deleted : user_pref("CommunityToolbar.notifications.loginLastUpdateTime", "1313487611");
Line Deleted : user_pref("CommunityToolbar.notifications.messageShowTimeSec", 20);
Line Deleted : user_pref("CommunityToolbar.notifications.servicesServerUrl", "hxxp://alert.services.conduit.com");
Line Deleted : user_pref("CommunityToolbar.notifications.showTrayIcon", false);
Line Deleted : user_pref("CommunityToolbar.notifications.userCloseIntervalMin", 300);
Line Deleted : user_pref("CommunityToolbar.notifications.userId", "347c5454-cfde-4447-a0f7-5607799f5769");
Line Deleted : user_pref("CommunityToolbar.originalHomepage", "about:home");
Line Deleted : user_pref("CommunityToolbar.originalSearchEngine", "Yahoo");
Line Deleted : user_pref("browser.search.defaultthis.engineName", "Brothersoft Customized Web Search");
Line Deleted : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2463487&SearchSource=3&q={searchTerms}");
Line Deleted : user_pref("extensions.helperbar.DockingPositionDown", false);
Line Deleted : user_pref("extensions.helperbar.LastHiddenTime", 22929883);
Line Deleted : user_pref("extensions.helperbar.SmartbarDisabled", true);
Line Deleted : user_pref("extensions.helperbar.SmartbarStateMinimaized", false);
Line Deleted : user_pref("extensions.helperbar.Visibility", true);
Line Deleted : user_pref("extensions.helperbar.countryiso", "ph");
Line Deleted : user_pref("extensions.helperbar.downloadprovider", "snapdoocyb");
Line Deleted : user_pref("extensions.helperbar.installationid", "337fd38e-6226-40ad-bd50-38b41aa74629");
Line Deleted : user_pref("extensions.helperbar.installdate", "06/08/2013");
Line Deleted : user_pref("extensions.helperbar.publisher", "snapdoocyb");
Line Deleted : user_pref("extentions.webcake.defaultEnableAppsList", "layers/banner,layers/inline,layers/search,layers/shopping,newOffers/wc");
Line Deleted : user_pref("extentions.webcake.installId", "de869c60-0c52-46a1-8919-dca7918d32e2");
 
[ File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\g5v56341.default\prefs.js ]
 
Line Deleted : user_pref("browser.startup.homepage", "hxxp://feed.snapdo.com/?publisher=SnapdoOCYB&dpid=SnapdoOCYB&co=PH&userid=337fd38e-6226-40ad-bd50-38b41aa74629&searchtype=hp&installDate=06/08/2013");
Line Deleted : user_pref("browser.search.selectedEngine", "Web Search");
Line Deleted : user_pref("keyword.URL", "hxxp://feed.snapdo.com/?publisher=SnapdoOCYB&dpid=SnapdoOCYB&co=PH&userid=337fd38e-6226-40ad-bd50-38b41aa74629&searchtype=ds&installDate=06/08/2013&q=");
Line Deleted : user_pref("browser.newtab.url", "hxxp://feed.snapdo.com/?publisher=SnapdoOCYB&dpid=SnapdoOCYB&co=PH&userid=337fd38e-6226-40ad-bd50-38b41aa74629&searchtype=nt&installDate=06/08/2013&q=");
 
-\\ Google Chrome v
 
[ File : C:\Documents and Settings\User 1\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]
 
Deleted : homepage
 
*************************
 
AdwCleaner[R0].txt - [34210 octets] - [24/01/2014 02:02:59]
AdwCleaner[S0].txt - [34514 octets] - [24/01/2014 02:04:48]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [34575 octets] ##########


#13 laxoole

laxoole
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 31 January 2014 - 11:30 AM

Here are the attachments

Attached Files



#14 laxoole

laxoole
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 31 January 2014 - 11:33 AM

Here is the Fixlog.txt

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 29-01-2014 01

Ran by User 1 at 2014-02-01 00:08:42 Run:1
Running from C:\Documents and Settings\User 1\My Documents\Downloads
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
start
 
SearchScopes: HKLM - DefaultScope value is missing.
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
end
*****************
 
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Value deleted successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Key not found.
HKLM\SOFTWARE\Policies\Google => Key deleted successfully.
HKCU\SOFTWARE\Policies\Google => Key deleted successfully.
 
==== End of Fixlog ====

Attached Files



#15 laxoole

laxoole
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 31 January 2014 - 11:36 AM

Oh. and by 'problems' what do you mean?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users