Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect virus, My PC Backup, etc...


  • This topic is locked This topic is locked
27 replies to this topic

#1 Tsuki17

Tsuki17

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:58 PM

Posted 11 February 2014 - 10:47 PM

Hi, I've been working on getting rid of the multiple virus's on my Grandmothers computer, but they are so bad that nothing I've tried has worked. This happened about a year ago and you guys were super helpful then and I'm hoping for some help once more. Her web browsers are all redirecting to false virus sites, and saying that she needs to fix her pc now; fake things that pop up that look like the microsoft essentials full of found virus's and trojans... also there are numerous programs on her desktop that she didn't download... My PC Backup, Installconverter, Sync Folder, ArcadeParlor, Expert PDF Reader, etc. It seems that several new programs appear every day. I'm really at a loss as to how to proceed and any help is greatly appreciated.

 

Here is the dds log:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16526  BrowserJavaVersion: 10.51.2
Run by Mams Speed Machine at 22:30:33 on 2014-02-11
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.6133.3532 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\LSI SoftModem\agr64svc.exe
C:\Program Files (x86)\MyPC Backup\BackupStack.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\AVG\AVG PC Tuneup\BoostSpeed.exe
C:\PROGRA~2\SearchProtect\Main\bin\CltMngSvc.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\PROGRA~2\SearchProtect\SearchProtect\bin\cltmng.exe
C:\PROGRA~2\SearchProtect\UI\bin\cltmngui.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
C:\Program Files (x86)\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\HEWLET~1\HPREMO~1\HPREMO~1.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_12_0_0_44_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
uSearch Bar = Preserve
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.8.130\McAfeeMSS_IE.dll
BHO: Websteroids: {44ed99e2-16a6-4b89-80d6-5b21cf42e78b} - C:\ProgramData\Websteroids\IE\common.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: ChromeFrame BHO: {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - C:\Program Files (x86)\Google\Chrome Frame\Application\32.0.1700.107\npchrome_frame.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW
mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
mRun: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [UpdateP2GoShortCut] "c:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun: [UpdateLBPShortCut] "c:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
mRun: [UpdatePDIRShortCut] "c:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
mRun: [UpdatePSTShortCut] "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
mRun: [TSMAgent] "c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
mRun: [CLMLServer for HP TouchSmart] "c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
mRun: [DVDAgent] "c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
mRun: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
mRun: [WinPatrol] "C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe" -expressboot
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\NETGEA~1.LNK - C:\Program Files (x86)\NETGEAR\WG111v3\WG111v3.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PICTUR~1.LNK - C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-001045-0002-0045-ABCDEFFEDCBC} - <orphaned>
IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files (x86)\Fiddler2\Fiddler.exe"
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 97.81.22.195 71.92.29.130 24.217.201.67
TCP: Interfaces\{004DD533-337D-4FA5-A83E-81CD6DCB1AB4} : DHCPNameServer = 24.197.160.17 24.197.160.18
TCP: Interfaces\{6AF8589A-9D57-4A20-AA3D-C262D4AB88A8} : DHCPNameServer = 97.81.22.195 71.92.29.130 24.217.201.67
TCP: Interfaces\{BF3B7F7A-3782-453D-A658-63A8AC5D09D9} : DHCPNameServer = 97.81.22.195 24.177.176.38 24.178.162.3
Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - C:\Program Files (x86)\Google\Chrome Frame\Application\32.0.1700.107\npchrome_frame.dll
AppInit_DLLs= C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
x64-mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
x64-BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - <orphaned>
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [HP Remote Software] C:\Program Files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [SmartMenu] C:\Program Files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
x64-Run: [IAAnotif] "C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe"
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [WinPatrol] "C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe" -expressboot
x64-mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
x64-mPolicies-Explorer: NoDrives = dword:0
x64-mPolicies-System: EnableUIADesktopToggle = dword:0
x64-Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - LocalServer32 - <no file>
x64-Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Mams Speed Machine\AppData\Roaming\Mozilla\Firefox\Profiles\35smt0z2.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3319613&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SPF60EF8A1-6A4C-47A8-871D-8F586288F85C&SSPV=C29650A_sp_ff
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?p={searchTerms}&ei=UTF-8&fr=w3i&type=W3i_DS,157,0_0,Search,20140207,20030,0,18,0
FF - prefs.js: browser.search.selectedEngine - Conduit Search
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\MapsGalaxy_39EI\Installr\1.bin\NP39EISb.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll
FF - plugin: C:\Program Files\McAfee Security Scan\3.8.130\npMcAfeeMSS.dll
FF - plugin: C:\Users\Mams Speed Machine\AppData\Roaming\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_44.dll
FF - ExtSQL: !HIDDEN! 2010-08-19 20:46; smartwebprinting@hp.com; C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-9-27 248240]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;C:\Windows\System32\drivers\RtlProt.sys [2007-4-23 31016]
R2 BackupStack;Computer Backup (MyPC Backup);C:\Program Files (x86)\MyPC Backup\BackupStack.exe [2014-2-6 36392]
R2 CltMngSvc;Search Protect by Conduit Service;C:\PROGRA~2\SearchProtect\Main\bin\CltMngSvc.exe [2014-2-3 2317600]
R2 FontCache;Windows Font Cache Service;C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 27648]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2010-10-24 134944]
R2 PCASp50a64;PCASp50a64 NDIS Protocol Driver;C:\Windows\System32\drivers\PCASp50a64.sys [2009-10-4 41280]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-10-23 348376]
R3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;C:\Windows\System32\drivers\wg111v3.sys [2009-10-14 418816]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 athrusb;Atheros Wireless LAN USB device driver;C:\Windows\System32\drivers\athrxusb.sys [2007-11-29 1064448]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [2013-9-6 288776]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2013-7-20 1022632]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-12-3 89920]
.
=============== File Associations ===============
.
FileExt: .jse: JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
.
==================== Find3M  ====================
.
2014-02-05 16:05:13 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-02-05 16:05:13 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-01-19 07:33:29 270496 ------w- C:\Windows\System32\MpSigStub.exe
2014-01-16 08:00:26 86054176 ----a-w- C:\Windows\System32\mrt.exe
2013-12-19 02:09:39 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-12-19 02:04:13 264616 ----a-w- C:\Windows\SysWow64\javaws.exe
2013-12-19 02:04:09 175016 ----a-w- C:\Windows\SysWow64\javaw.exe
2013-12-19 02:03:46 174504 ----a-w- C:\Windows\SysWow64\java.exe
2013-11-15 02:09:03 17847296 ----a-w- C:\Windows\System32\mshtml.dll
2013-11-15 01:42:57 10926080 ----a-w- C:\Windows\System32\ieframe.dll
2013-11-15 01:37:29 2334720 ----a-w- C:\Windows\System32\jscript9.dll
2013-11-15 01:29:33 1347072 ----a-w- C:\Windows\System32\urlmon.dll
2013-11-15 01:29:03 1392128 ----a-w- C:\Windows\System32\wininet.dll
2013-11-15 01:28:41 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2013-11-15 01:28:00 237056 ----a-w- C:\Windows\System32\url.dll
2013-11-15 01:25:24 85504 ----a-w- C:\Windows\System32\jsproxy.dll
2013-11-15 01:22:21 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2013-11-15 01:20:47 599040 ----a-w- C:\Windows\System32\vbscript.dll
2013-11-15 01:20:45 816640 ----a-w- C:\Windows\System32\jscript.dll
2013-11-15 01:19:54 2147840 ----a-w- C:\Windows\System32\iertutil.dll
2013-11-15 01:19:47 729088 ----a-w- C:\Windows\System32\msfeeds.dll
2013-11-15 01:18:24 96768 ----a-w- C:\Windows\System32\mshtmled.dll
2013-11-15 01:18:03 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2013-11-15 01:12:57 248320 ----a-w- C:\Windows\System32\ieui.dll
2013-11-14 23:13:33 12344320 ----a-w- C:\Windows\SysWow64\mshtml.dll
2013-11-14 22:50:50 1806848 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-11-14 22:50:06 9739264 ----a-w- C:\Windows\SysWow64\ieframe.dll
2013-11-14 22:43:24 1105408 ----a-w- C:\Windows\SysWow64\urlmon.dll
2013-11-14 22:42:41 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-11-14 22:42:32 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2013-11-14 22:41:18 231936 ----a-w- C:\Windows\SysWow64\url.dll
2013-11-14 22:40:04 65024 ----a-w- C:\Windows\SysWow64\jsproxy.dll
2013-11-14 22:38:54 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2013-11-14 22:38:35 717824 ----a-w- C:\Windows\SysWow64\jscript.dll
2013-11-14 22:38:16 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2013-11-14 22:37:32 607744 ----a-w- C:\Windows\SysWow64\msfeeds.dll
2013-11-14 22:36:16 1796096 ----a-w- C:\Windows\SysWow64\iertutil.dll
2013-11-14 22:36:08 73216 ----a-w- C:\Windows\SysWow64\mshtmled.dll
2013-11-14 22:35:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-11-14 22:32:56 176640 ----a-w- C:\Windows\SysWow64\ieui.dll
.
============= FINISH: 22:31:00.00 ===============
 



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:58 PM

Posted 12 February 2014 - 11:32 AM

Hello and welcome to Bleeping Computer,

Please run the following:

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Tsuki17

Tsuki17
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:58 PM

Posted 12 February 2014 - 06:27 PM

Thank you so much for your help CatByte! :) Just a side note, if I suddenly don't reply it's because where I am in the southeastern US we are having severe ice storms and many houses in my area are without power. So far we have been lucky and still have ours but we still have another day of sleet and snow to go... crossing my fingers it doesn't go out! lol So yeah...

 

Here is the log that Farbar created, and I've attatched the addition txt file:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-02-2014 01
Ran by Mams Speed Machine (administrator) on MAMSSPEEDMAC-PC on 12-02-2014 18:20:34
Running from C:\Users\Mams Speed Machine\Downloads
Windows Vista ™ Home Premium Service Pack 2 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\system32\SLsvc.exe
(LSI Corporation) C:\Program Files\LSI SoftModem\agr64svc.exe
(Just Develop It) C:\Program Files (x86)\MyPC Backup\BackupStack.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Hewlett-Packard Company) c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
(AVG) C:\Program Files (x86)\AVG\AVG PC Tuneup\BoostSpeed.exe
(Conduit) C:\Program Files (x86)\SearchProtect\Main\bin\CltMngSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
(Conduit) C:\Program Files (x86)\SearchProtect\SearchProtect\bin\cltmng.exe
(Conduit) C:\Program Files (x86)\SearchProtect\UI\bin\cltmngui.exe
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\NisSrv.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe
(CyberLink Corp.) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
() C:\Program Files (x86)\NETGEAR\WG111v3\WG111v3.exe
(CyberLink) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
(CyberLink Corp.) C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
(BillP Studios) C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
() C:\Program Files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
(Microsoft Corporation) C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
(Hewlett-Packard) c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
(Microsoft Corporation) C:\Program Files (x86)\Internet Explorer\IELowutil.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Google Inc.) C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
(Adobe Systems Incorporated) C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_12_0_0_44_ActiveX.exe
(Oracle Corporation) C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe
(Oracle Corporation) C:\Program Files (x86)\Java\jre7\bin\java.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [HP Remote Software] - C:\Program Files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe [172032 2009-02-06] ()
HKLM\...\Run: [SmartMenu] - C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [915512 2009-03-05] (Hewlett-Packard)
HKLM\...\Run: [IAAnotif] - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2008-12-04] (Intel Corporation)
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)
HKLM\...\Run: [WinPatrol] - C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe [404712 2013-01-04] (BillP Studios)
HKLM-x32\...\Run: [hpsysdrv] - c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Health Check Scheduler] - c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75016 2008-12-04] (Hewlett-Packard)
HKLM-x32\...\Run: [UpdateP2GoShortCut] - c:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe [218408 2008-12-04] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateLBPShortCut] - c:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe [218408 2008-12-04] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePDIRShortCut] - c:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe [218408 2008-12-04] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePSTShortCut] - c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe [210216 2009-02-02] (CyberLink Corp.)
HKLM-x32\...\Run: [TSMAgent] - c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe [1328424 2009-04-10] (CyberLink Corp.)
HKLM-x32\...\Run: [CLMLServer for HP TouchSmart] - c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe [185640 2009-04-10] (CyberLink)
HKLM-x32\...\Run: [DVDAgent] - c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe [1148200 2009-03-19] (CyberLink Corp.)
HKLM-x32\...\Run: [HP Software Update] - c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [hpqSRMon] - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe [150016 2008-08-20] (Hewlett-Packard)
HKLM-x32\...\Run: [WinPatrol] - C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe [404712 2013-01-04] (BillP Studios)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-575212393-84608004-1612600079-1000\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1689144 2010-06-29] (Hewlett-Packard)
AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll => C:\Program Files (x86)\SearchProtect\SearchProtect\bin\SPVC64Loader.dll [1350944 2014-02-03] (Conduit)
AppInit_DLLs-x32: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll => C:\Program Files (x86)\SearchProtect\SearchProtect\bin\SPVC32Loader.dll [1046816 2014-02-03] (Conduit)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKLM - {05223EBF-1359-4310-88FF-1581B2A7C0A0} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKLM - {E4AC6792-B4AA-4C34-9858-E84C94B89383} URL = http://search.live.com/results.aspx?q={searchTerms}&FORM=HPDTDF
SearchScopes: HKLM-x32 - {05223EBF-1359-4310-88FF-1581B2A7C0A0} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKLM-x32 - {E4AC6792-B4AA-4C34-9858-E84C94B89383} URL = http://search.live.com/results.aspx?q={searchTerms}&FORM=HPDTDF
SearchScopes: HKCU - DefaultScope {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://search.conduit.com/Results.aspx?ctid=CT3319613&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=4&UP=SPF60EF8A1-6A4C-47A8-871D-8F586288F85C&q={searchTerms}&SSPV=C29650A_sp_ie
SearchScopes: HKCU - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://search.conduit.com/Results.aspx?ctid=CT3319613&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=4&UP=SPF60EF8A1-6A4C-47A8-871D-8F586288F85C&q={searchTerms}&SSPV=C29650A_sp_ie
BHO: No Name - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -  No File
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll No File
BHO-x32: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} -  No File
BHO-x32: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO-x32: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.8.130\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO-x32: Websteroids - {44ed99e2-16a6-4b89-80d6-5b21cf42e78b} - C:\ProgramData\Websteroids\IE\common.dll (Creative Island Media, LLC)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: ChromeFrame BHO - {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - C:\Program Files (x86)\Google\Chrome Frame\Application\32.0.1700.107\npchrome_frame.dll (Google Inc.)
BHO-x32: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} -  No File
Handler-x32: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - C:\Program Files (x86)\Google\Chrome Frame\Application\32.0.1700.107\npchrome_frame.dll (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 97.81.22.195 71.92.29.130 24.217.201.67

FireFox:
========
FF ProfilePath: C:\Users\Mams Speed Machine\AppData\Roaming\Mozilla\Firefox\Profiles\35smt0z2.default
FF user.js: detected! => C:\Users\Mams Speed Machine\AppData\Roaming\Mozilla\Firefox\Profiles\35smt0z2.default\user.js
FF SearchEngineOrder.1: Yahoo
FF SearchEngineOrder.user_pref("browser.search.order.2", "");: user_pref("browser.search.order.2", "");
FF Homepage: hxxp://search.conduit.com/?ctid=CT3319613&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SPF60EF8A1-6A4C-47A8-871D-8F586288F85C&SSPV=C29650A_sp_ff
FF Keyword.URL: hxxp://search.yahoo.com/search?p={searchTerms}&ei=UTF-8&fr=w3i&type=W3i_DS,157,0_0,Search,20140207,20030,0,18,0
FF NetworkProxy: "type", 0
FF SelectedSearchEngine: Conduit Search
FF NewTab: hxxp://search.conduit.com/?ctid=CT3319613&octid=EB_ORIGINAL_CTID&SearchSource=69&CUI=&SSPV=C29650A_sp_ff&Lay=1&UM=4&UP=SPF60EF8A1-6A4C-47A8-871D-8F586288F85C
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_9_900_170.dll ()
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_44.dll ()
FF Plugin-x32: @ei.MapsGalaxy_39.com/Plugin - C:\Program Files (x86)\MapsGalaxy_39EI\Installr\1.bin\NP39EISB.dll (MapsGalaxy)
FF Plugin-x32: @java.com/DTPlugin,version=10.51.2 - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.51.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @mcafee.com/McAfeeMssPlugin - C:\Program Files\McAfee Security Scan\3.8.130\npMcAfeeMss.dll (McAfee, Inc.)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WPF,version=3.5 - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 - C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll ()
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @movenetworks.com/Quantum Media Player - C:\Users\Mams Speed Machine\AppData\Roaming\Move Networks\plugins\npqmp071505000011.dll (Move Networks)
FF SearchPlugin: C:\Users\Mams Speed Machine\AppData\Roaming\Mozilla\Firefox\Profiles\35smt0z2.default\searchplugins\conduit-search.xml
FF HKLM-x32\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []
FF HKLM-x32\...\Firefox\Extensions: [fiddlerhook@fiddler2.com] - C:\Program Files (x86)\Fiddler2\FiddlerHook
FF Extension: FiddlerHook - C:\Program Files (x86)\Fiddler2\FiddlerHook [2009-12-24]
FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010-08-19]
FF HKCU\...\Firefox\Extensions: [moveplayer@movenetworks.com] - C:\Users\Mams Speed Machine\AppData\Roaming\Move Networks
FF Extension: Move Media Player - C:\Users\Mams Speed Machine\AppData\Roaming\Move Networks [2009-11-26]
FF HKCU\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010-08-19]
FF HKCU\...\Firefox\Extensions: [support@unfriendapp.com] - C:\Program Files (x86)\UnfriendApp\Firefox\
FF HKCU\...\Firefox\Extensions: [support@websteroidsapp.com] - C:\ProgramData\Websteroids\Firefox\
FF Extension: Websteroids - C:\ProgramData\Websteroids\Firefox\ []

==================== Services (Whitelisted) =================

R2 BackupStack; C:\Program Files (x86)\MyPC Backup\BackupStack.exe [36392 2014-02-06] (Just Develop It)
R2 CltMngSvc; C:\Program Files (x86)\SearchProtect\Main\bin\CltMngSvc.exe [2317600 2014-02-03] (Conduit)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [288776 2013-09-06] (McAfee, Inc.)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

S3 athrusb; C:\Windows\System32\DRIVERS\athrxusb.sys [1064448 2007-11-29] (Atheros Communications, Inc.)
S1 Beep; No ImagePath
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)
R2 PCASp50a64; C:\Windows\System32\Drivers\PCASp50a64.sys [41280 2006-11-28] (Printing Communications Assoc., Inc. (PCAUSA))
U5 AppMgmt; C:\Windows\system32\svchost.exe [27648 2008-01-20] (Microsoft Corporation)
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 RTL8187; system32\DRIVERS\wg111v2.sys [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-02-12 18:20 - 2014-02-12 18:20 - 00018161 _____ () C:\Users\Mams Speed Machine\Downloads\FRST.txt
2014-02-12 18:20 - 2014-02-12 18:20 - 00000000 ____D () C:\FRST
2014-02-12 18:19 - 2014-02-12 18:20 - 02152448 _____ (Farbar) C:\Users\Mams Speed Machine\Downloads\FRST64.exe
2014-02-11 22:33 - 2014-02-11 22:33 - 00006843 _____ () C:\Users\Mams Speed Machine\Desktop\attach.txt
2014-02-11 22:33 - 2014-02-11 22:31 - 00018999 _____ () C:\Users\Mams Speed Machine\Desktop\dds.txt
2014-02-11 22:29 - 2014-02-11 22:29 - 00688992 ____R (Swearware) C:\Users\Mams Speed Machine\Downloads\dds (1).com
2014-02-11 14:44 - 2014-02-11 14:44 - 00001770 _____ () C:\Users\Mams Speed Machine\Desktop\Sync Folder.lnk
2014-02-11 14:44 - 2014-02-11 14:44 - 00000000 ____D () C:\Users\Mams Speed Machine\AppData\Local\SearchProtect
2014-02-11 14:44 - 2014-02-11 14:44 - 00000000 ____D () C:\Program Files (x86)\SearchProtect
2014-02-11 14:43 - 2014-02-11 22:16 - 00000000 ____D () C:\Program Files (x86)\MyPC Backup
2014-02-11 14:43 - 2014-02-11 14:44 - 00353964 _____ () C:\Users\Mams Speed Machine\AppData\Local\dd_vcredistMSI08F9.txt
2014-02-11 14:43 - 2014-02-11 14:44 - 00014814 _____ () C:\Users\Mams Speed Machine\AppData\Local\dd_vcredistUI08F9.txt
2014-02-11 14:43 - 2014-02-11 14:43 - 00001765 _____ () C:\Users\Public\Desktop\InstallConverter.lnk
2014-02-11 14:43 - 2014-02-11 14:43 - 00000888 _____ () C:\Users\Mams Speed Machine\Desktop\MyPC Backup.lnk
2014-02-11 14:43 - 2014-02-11 14:43 - 00000000 ____D () C:\Users\Mams Speed Machine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup
2014-02-11 14:43 - 2014-02-11 14:43 - 00000000 ____D () C:\ProgramData\Websteroids
2014-02-11 14:43 - 2014-02-11 14:43 - 00000000 ____D () C:\Program Files (x86)\InstallConverter
2014-02-10 16:04 - 2014-02-11 00:40 - 00000000 ____D () C:\ProgramData\Fighters
2014-02-10 16:04 - 2014-02-11 00:38 - 00000000 ____D () C:\ProgramData\Yahoo!
2014-02-10 16:03 - 2014-02-10 16:03 - 00911896 _____ (SafeInstall, LLC) C:\Users\Mams Speed Machine\Downloads\pdf_14376_stn.exe
2014-01-29 14:26 - 2014-01-29 14:26 - 00000000 ____D () C:\Program Files\McAfee Security Scan
2014-01-22 18:43 - 2014-01-22 18:43 - 00001884 _____ () C:\Users\Public\Desktop\Adobe Reader X.lnk
2014-01-20 06:18 - 2013-12-18 21:09 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-01-20 06:18 - 2013-12-18 21:04 - 00264616 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2014-01-20 06:18 - 2013-12-18 21:04 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2014-01-20 06:18 - 2013-12-18 21:03 - 00174504 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2014-01-20 06:17 - 2014-01-20 06:18 - 00005175 _____ () C:\Windows\SysWOW64\jupdate-1.7.0_51-b13.log

==================== One Month Modified Files and Folders =======

2014-02-12 18:20 - 2014-02-12 18:20 - 00018161 _____ () C:\Users\Mams Speed Machine\Downloads\FRST.txt
2014-02-12 18:20 - 2014-02-12 18:20 - 00000000 ____D () C:\FRST
2014-02-12 18:20 - 2014-02-12 18:19 - 02152448 _____ (Farbar) C:\Users\Mams Speed Machine\Downloads\FRST64.exe
2014-02-12 18:15 - 2006-11-02 10:22 - 00003616 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-02-12 18:15 - 2006-11-02 10:22 - 00003616 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-02-12 18:05 - 2012-05-18 12:14 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-02-12 17:42 - 2010-01-28 16:46 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-02-12 17:25 - 2009-07-22 11:40 - 01266465 _____ () C:\Windows\WindowsUpdate.log
2014-02-12 09:33 - 2012-03-16 06:47 - 00003766 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{E99DC1AA-56A1-4C6A-BDFB-9C99CD6B1991}
2014-02-12 07:42 - 2010-01-28 16:46 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-02-11 22:33 - 2014-02-11 22:33 - 00006843 _____ () C:\Users\Mams Speed Machine\Desktop\attach.txt
2014-02-11 22:31 - 2014-02-11 22:33 - 00018999 _____ () C:\Users\Mams Speed Machine\Desktop\dds.txt
2014-02-11 22:29 - 2014-02-11 22:29 - 00688992 ____R (Swearware) C:\Users\Mams Speed Machine\Downloads\dds (1).com
2014-02-11 22:20 - 2009-05-01 01:24 - 00003600 _____ () C:\Windows\System32\Tasks\HP Health Check
2014-02-11 22:20 - 2006-11-02 07:46 - 00703516 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-02-11 22:16 - 2014-02-11 14:43 - 00000000 ____D () C:\Program Files (x86)\MyPC Backup
2014-02-11 22:15 - 2006-11-02 10:42 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-02-11 22:05 - 2006-11-02 10:42 - 00032586 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-02-11 14:45 - 2009-08-15 18:00 - 00000000 ___RD () C:\Users\Mams Speed Machine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-02-11 14:44 - 2014-02-11 14:44 - 00001770 _____ () C:\Users\Mams Speed Machine\Desktop\Sync Folder.lnk
2014-02-11 14:44 - 2014-02-11 14:44 - 00000000 ____D () C:\Users\Mams Speed Machine\AppData\Local\SearchProtect
2014-02-11 14:44 - 2014-02-11 14:44 - 00000000 ____D () C:\Program Files (x86)\SearchProtect
2014-02-11 14:44 - 2014-02-11 14:43 - 00353964 _____ () C:\Users\Mams Speed Machine\AppData\Local\dd_vcredistMSI08F9.txt
2014-02-11 14:44 - 2014-02-11 14:43 - 00014814 _____ () C:\Users\Mams Speed Machine\AppData\Local\dd_vcredistUI08F9.txt
2014-02-11 14:43 - 2014-02-11 14:43 - 00001765 _____ () C:\Users\Public\Desktop\InstallConverter.lnk
2014-02-11 14:43 - 2014-02-11 14:43 - 00000888 _____ () C:\Users\Mams Speed Machine\Desktop\MyPC Backup.lnk
2014-02-11 14:43 - 2014-02-11 14:43 - 00000000 ____D () C:\Users\Mams Speed Machine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup
2014-02-11 14:43 - 2014-02-11 14:43 - 00000000 ____D () C:\ProgramData\Websteroids
2014-02-11 14:43 - 2014-02-11 14:43 - 00000000 ____D () C:\Program Files (x86)\InstallConverter
2014-02-11 01:13 - 2012-03-29 18:17 - 00000910 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-02-11 01:13 - 2012-03-29 18:17 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-02-11 00:42 - 2012-09-26 21:21 - 00025128 _____ () C:\Windows\PFRO.log
2014-02-11 00:40 - 2014-02-10 16:04 - 00000000 ____D () C:\ProgramData\Fighters
2014-02-11 00:38 - 2014-02-10 16:04 - 00000000 ____D () C:\ProgramData\Yahoo!
2014-02-11 00:26 - 2009-05-01 00:49 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2014-02-11 00:21 - 2013-02-27 03:16 - 00001061 _____ () C:\Users\Mams Speed Machine\Desktop\Revo Uninstaller.lnk
2014-02-10 16:03 - 2014-02-10 16:03 - 00911896 _____ (SafeInstall, LLC) C:\Users\Mams Speed Machine\Downloads\pdf_14376_stn.exe
2014-02-07 09:39 - 2009-09-04 08:32 - 00000052 _____ () C:\Windows\SysWOW64\DOErrors.log
2014-02-05 11:05 - 2012-05-18 12:14 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-02-05 11:05 - 2012-05-18 12:14 - 00003682 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-02-05 11:05 - 2011-07-10 00:34 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-01-29 14:26 - 2014-01-29 14:26 - 00000000 ____D () C:\Program Files\McAfee Security Scan
2014-01-22 18:44 - 2010-01-26 15:15 - 00000000 ____D () C:\Users\Mams Speed Machine\AppData\Local\Adobe
2014-01-22 18:43 - 2014-01-22 18:43 - 00001884 _____ () C:\Users\Public\Desktop\Adobe Reader X.lnk
2014-01-22 18:43 - 2010-01-26 15:16 - 00000000 ____D () C:\ProgramData\Adobe
2014-01-22 18:43 - 2010-01-26 15:16 - 00000000 ____D () C:\Program Files (x86)\Adobe
2014-01-22 18:35 - 2012-06-10 15:46 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-01-20 06:18 - 2014-01-20 06:17 - 00005175 _____ () C:\Windows\SysWOW64\jupdate-1.7.0_51-b13.log
2014-01-20 06:18 - 2013-04-30 13:25 - 00000000 ____D () C:\Program Files (x86)\Java
2014-01-19 02:33 - 2009-10-03 08:00 - 00270496 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-01-16 03:03 - 2013-08-15 02:03 - 00000000 ____D () C:\Windows\system32\MRT
2014-01-16 03:00 - 2006-11-02 07:35 - 86054176 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe

Some content of TEMP:
====================
C:\Users\Mams Speed Machine\AppData\Local\temp\APNSetup.exe
C:\Users\Mams Speed Machine\AppData\Local\temp\BackupSetup.exe
C:\Users\Mams Speed Machine\AppData\Local\temp\jre-7u21-windows-i586-iftw.exe
C:\Users\Mams Speed Machine\AppData\Local\temp\jre-7u45-windows-i586-iftw.exe
C:\Users\Mams Speed Machine\AppData\Local\temp\jre-7u51-windows-i586-iftw.exe
C:\Users\Mams Speed Machine\AppData\Local\temp\mssinstaller.exe
C:\Users\Mams Speed Machine\AppData\Local\temp\nsbB78F.exe
C:\Users\Mams Speed Machine\AppData\Local\temp\nsbE150.exe
C:\Users\Mams Speed Machine\AppData\Local\temp\nslDE33.exe
C:\Users\Mams Speed Machine\AppData\Local\temp\nswBACB.exe
C:\Users\Mams Speed Machine\AppData\Local\temp\vcredist_x64.exe
C:\Users\Mams Speed Machine\AppData\Local\temp\VSUSetup.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-02-12 10:24

==================== End Of Log ============================

Attached Files



#4 Tsuki17

Tsuki17
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:58 PM

Posted 12 February 2014 - 06:35 PM

My Grandmother just told me that she used this computer to pay her bills online today, I had told her not to use it for anything important but she just assumed that meant to not go to her banking site. I would hate for her credit card or other sensitive info to be compromised, as of now does anything look like it could have taken her information while she did this? I recently went through having my bank account compromised and am still fixing it, I don't wish for her to have to experience this as well.

 

I also just noticed that when I open a blank tab it's Bing now, instead of the small windows of popular sites visited, like it normally does. The homepage looks like what the screeenshots of that Websteroids virus does... blank search box with a big ad in the middle under it.. I noticed that program in the log and she didn't download it, along with the loads of other things she didn't download, so I'm not sure where it came from. :(


Edited by Tsuki17, 12 February 2014 - 06:45 PM.


#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:58 PM

Posted 12 February 2014 - 06:45 PM

Please do the following:

Download attached fixlist.txt file and save it to the Downloads folder as that is where FRST64.exe is saved.

Attached File  FixList.txt   4.14KB   9 downloads

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:58 PM

Posted 12 February 2014 - 06:48 PM

It seems like mostly adware on the machine, but as a precaution she should notify her financial institutions that her personal information may have been compromised and make sure she changes all her passwords from a machine that hasn't been infected as there really is no certain way of knowing what this garbage is capable of. It's not known for stealing personal information, but just to be on the safe side I'd take precautions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Tsuki17

Tsuki17
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:58 PM

Posted 12 February 2014 - 07:01 PM

Oh good, I'll let her know. She can use my PC to change her passwords on and can call the bank and such tomorrow when they're open. :)

 

After doing the fix the My PC Backup shortcut is gone from the desktop but I still see the Install Converter, and Synce Folder shortcuts. Are they real programs?

 

Here is the log:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-02-2014 01
Ran by Mams Speed Machine at 2014-02-12 18:49:07 Run:1
Running from C:\Users\Mams Speed Machine\Downloads
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
(Conduit) C:\Program Files (x86)\SearchProtect\Main\bin\CltMngSvc.exe
(Conduit) C:\Program Files (x86)\SearchProtect\SearchProtect\bin\cltmng.exe
(Conduit) C:\Program Files (x86)\SearchProtect\UI\bin\cltmngui.exe
AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll => C:\Program Files (x86)\SearchProtect\SearchProtect\bin\SPVC64Loader.dll [1350944 2014-02-03] (Conduit)
AppInit_DLLs-x32: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll => C:\Program Files (x86)\SearchProtect\SearchProtect\bin\SPVC32Loader.dll [1046816 2014-02-03] (Conduit)
SearchScopes: HKLM - {05223EBF-1359-4310-88FF-1581B2A7C0A0} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKLM-x32 - {05223EBF-1359-4310-88FF-1581B2A7C0A0} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
BHO: No Name - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -  No File
BHO-x32: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} -  No File
FF Homepage: hxxp://search.conduit.com/?ctid=CT3319613&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SPF60EF8A1-6A4C-47A8-871D-8F586288F85C&SSPV=C29650A_sp_ff
FF SelectedSearchEngine: Conduit Search
FF NewTab: hxxp://search.conduit.com/?ctid=CT3319613&octid=EB_ORIGINAL_CTID&SearchSource=69&CUI=&SSPV=C29650A_sp_ff&Lay=1&UM=4&UP=SPF60EF8A1-6A4C-47A8-871D-8F586288F85C
FF Plugin-x32: @ei.MapsGalaxy_39.com/Plugin - C:\Program Files (x86)\MapsGalaxy_39EI\Installr\1.bin\NP39EISB.dll (MapsGalaxy)
FF SearchPlugin: C:\Users\Mams Speed Machine\AppData\Roaming\Mozilla\Firefox\Profiles\35smt0z2.default\searchplugins\conduit-search.xml
R2 CltMngSvc; C:\Program Files (x86)\SearchProtect\Main\bin\CltMngSvc.exe [2317600 2014-02-03] (Conduit)
2014-02-11 14:44 - 2014-02-11 14:44 - 00000000 ____D () C:\Users\Mams Speed Machine\AppData\Local\SearchProtect
2014-02-11 14:44 - 2014-02-11 14:44 - 00000000 ____D () C:\Program Files (x86)\SearchProtect
2014-02-11 14:43 - 2014-02-11 22:16 - 00000000 ____D () C:\Program Files (x86)\MyPC Backup
2014-02-11 14:43 - 2014-02-11 14:43 - 00000888 _____ () C:\Users\Mams Speed Machine\Desktop\MyPC Backup.lnk
2014-02-11 14:43 - 2014-02-11 14:43 - 00000000 ____D () C:\Users\Mams Speed Machine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup
2014-02-10 16:04 - 2014-02-11 00:40 - 00000000 ____D () C:\ProgramData\Fighters
2014-02-11 22:16 - 2014-02-11 14:43 - 00000000 ____D () C:\Program Files (x86)\MyPC Backup
2014-02-11 14:44 - 2014-02-11 14:44 - 00000000 ____D () C:\Users\Mams Speed Machine\AppData\Local\SearchProtect
2014-02-11 14:44 - 2014-02-11 14:44 - 00000000 ____D () C:\Program Files (x86)\SearchProtect
2014-02-11 14:43 - 2014-02-11 14:43 - 00000888 _____ () C:\Users\Mams Speed Machine\Desktop\MyPC Backup.lnk
2014-02-11 14:43 - 2014-02-11 14:43 - 00000000 ____D () C:\Users\Mams Speed Machine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup
C:\Users\Mams Speed Machine\AppData\Local\temp\APNSetup.exe
C:\Users\Mams Speed Machine\AppData\Local\temp\BackupSetup.exe
C:\Users\Mams Speed Machine\AppData\Local\temp\jre-7u21-windows-i586-iftw.exe
C:\Users\Mams Speed Machine\AppData\Local\temp\jre-7u45-windows-i586-iftw.exe
C:\Users\Mams Speed Machine\AppData\Local\temp\jre-7u51-windows-i586-iftw.exe
C:\Users\Mams Speed Machine\AppData\Local\temp\mssinstaller.exe
C:\Users\Mams Speed Machine\AppData\Local\temp\nsbB78F.exe
C:\Users\Mams Speed Machine\AppData\Local\temp\nsbE150.exe
C:\Users\Mams Speed Machine\AppData\Local\temp\nslDE33.exe
C:\Users\Mams Speed Machine\AppData\Local\temp\nswBACB.exe
C:\Users\Mams Speed Machine\AppData\Local\temp\vcredist_x64.exe
C:\Users\Mams Speed Machine\AppData\Local\temp\VSUSetup.exe
BHO: Websteroids: {44ed99e2-16a6-4b89-80d6-5b21cf42e78b} - C:\ProgramData\Websteroids\IE\common.dll
BHO-x32: Websteroids - {44ed99e2-16a6-4b89-80d6-5b21cf42e78b} - C:\ProgramData\Websteroids\IE\common.dll (Creative Island Media, LLC)
FF HKCU\...\Firefox\Extensions: [support@websteroidsapp.com] - C:\ProgramData\Websteroids\Firefox\
FF Extension: Websteroids - C:\ProgramData\Websteroids\Firefox\ []
2014-02-11 14:43 - 2014-02-11 14:43 - 00000000 ____D () C:\ProgramData\Websteroids
end

 

 

 

 

 

 

 

 

 

*****************

[2180] C:\Program Files (x86)\SearchProtect\Main\bin\CltMngSvc.exe => Process closed successfully.
[844] C:\Program Files (x86)\SearchProtect\SearchProtect\bin\cltmng.exe => Process closed successfully.
[2260] C:\Program Files (x86)\SearchProtect\UI\bin\cltmngui.exe => Process closed successfully.
"C:\\PROGRA~2\\SearchProtect\\SearchProtect\\bin\\SPVC64Loader.dll" => Value Data removed successfully.
"C:\\PROGRA~2\\SearchProtect\\SearchProtect\\bin\\SPVC32Loader.dll" => Value Data removed successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{05223EBF-1359-4310-88FF-1581B2A7C0A0} => Key deleted successfully.
HKCR\CLSID\{05223EBF-1359-4310-88FF-1581B2A7C0A0} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{05223EBF-1359-4310-88FF-1581B2A7C0A0} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{05223EBF-1359-4310-88FF-1581B2A7C0A0} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => Key deleted successfully.
HKCR\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670} => Key not found.
Firefox homepage deleted successfully.
Firefox SelectedSearchEngine deleted successfully.
Firefox newtab deleted successfully.
HKLM\Software\Wow6432Node\MozillaPlugins\@ei.MapsGalaxy_39.com/Plugin => Key deleted successfully.
C:\Program Files (x86)\MapsGalaxy_39EI\Installr\1.bin\NP39EISB.dll => Moved successfully.
C:\Users\Mams Speed Machine\AppData\Roaming\Mozilla\Firefox\Profiles\35smt0z2.default\searchplugins\conduit-search.xml => Moved successfully.
CltMngSvc => Service deleted successfully.
C:\Users\Mams Speed Machine\AppData\Local\SearchProtect => Moved successfully.
C:\Program Files (x86)\SearchProtect => Moved successfully.

"C:\Program Files (x86)\MyPC Backup" directory move:

Could not move "C:\Program Files (x86)\MyPC Backup" directory. => Scheduled to move on reboot.

C:\Users\Mams Speed Machine\Desktop\MyPC Backup.lnk => Moved successfully.
C:\Users\Mams Speed Machine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup => Moved successfully.
C:\ProgramData\Fighters => Moved successfully.

"C:\Program Files (x86)\MyPC Backup" directory move:

Could not move "C:\Program Files (x86)\MyPC Backup" directory. => Scheduled to move on reboot.

"C:\Users\Mams Speed Machine\AppData\Local\SearchProtect" => File/Directory not found.
"C:\Program Files (x86)\SearchProtect" => File/Directory not found.
"C:\Users\Mams Speed Machine\Desktop\MyPC Backup.lnk" => File/Directory not found.
"C:\Users\Mams Speed Machine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup" => File/Directory not found.
C:\Users\Mams Speed Machine\AppData\Local\temp\APNSetup.exe => Moved successfully.
C:\Users\Mams Speed Machine\AppData\Local\temp\BackupSetup.exe => Moved successfully.
C:\Users\Mams Speed Machine\AppData\Local\temp\jre-7u21-windows-i586-iftw.exe => Moved successfully.
C:\Users\Mams Speed Machine\AppData\Local\temp\jre-7u45-windows-i586-iftw.exe => Moved successfully.
C:\Users\Mams Speed Machine\AppData\Local\temp\jre-7u51-windows-i586-iftw.exe => Moved successfully.
C:\Users\Mams Speed Machine\AppData\Local\temp\mssinstaller.exe => Moved successfully.
C:\Users\Mams Speed Machine\AppData\Local\temp\nsbB78F.exe => Moved successfully.
C:\Users\Mams Speed Machine\AppData\Local\temp\nsbE150.exe => Moved successfully.
C:\Users\Mams Speed Machine\AppData\Local\temp\nslDE33.exe => Moved successfully.
C:\Users\Mams Speed Machine\AppData\Local\temp\nswBACB.exe => Moved successfully.
C:\Users\Mams Speed Machine\AppData\Local\temp\vcredist_x64.exe => Moved successfully.
C:\Users\Mams Speed Machine\AppData\Local\temp\VSUSetup.exe => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b} => Key not found.
HKCR\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b} => Key deleted successfully.
HKCU\Software\Mozilla\Firefox\Extensions\\support@websteroidsapp.com => Value deleted successfully.
C:\ProgramData\Websteroids\Firefox\ => Moved successfully.
C:\ProgramData\Websteroids => Moved successfully.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-02-12 18:50:40)<=

C:\Program Files (x86)\MyPC Backup => Is moved successfully.
C:\Program Files (x86)\MyPC Backup => Is moved successfully.

==== End of Fixlog ====



#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:58 PM

Posted 12 February 2014 - 08:31 PM

You can right click and delete those shortcuts (if they'll let you)

Then please run the following:

Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

NEXT


Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Scan
  • If items are found, please select the Clean button
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Tsuki17

Tsuki17
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:58 PM

Posted 14 February 2014 - 12:11 PM

Sorry for the late reply! We kept our power but lost our cable internet. lol Ah well, they did a fab job getting it back up so quickly. ♥

 

Here is the log from JRT:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.1 (02.04.2014:1)
OS: Windows ™ Vista Home Premium x64
Ran by Mams Speed Machine on Fri 02/14/2014 at 11:36:04.15
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

Successfully stopped: [Service] backupstack
Successfully deleted: [Service] backupstack

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-575212393-84608004-1612600079-1000\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\dynconie.dynconieobject
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\dynconie.dynconieobject.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\protector_dll.protectorbho
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\protector_dll.protectorbho.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{8F0B76E1-4E46-427B-B55B-B90593468AC6}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\conduit
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\im
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\iminstaller
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\surf canyon
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\yahoopartnertoolbar
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\dynconie
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\installiq
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\mapsgalaxy_39ei
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\performersoft
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\searchprotect
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\surf canyon
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\searchprotect
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{E4AC6792-B4AA-4C34-9858-E84C94B89383}

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\apn"
Successfully deleted: [Folder] "C:\Users\Mams Speed Machine\appdata\locallow\surfcanyon"

 

~~~ FireFox

Successfully deleted: [File] C:\Users\Mams Speed Machine\AppData\Roaming\mozilla\firefox\profiles\35smt0z2.default\user.js
Successfully deleted the following from C:\Users\Mams Speed Machine\AppData\Roaming\mozilla\firefox\profiles\35smt0z2.default\prefs.js

user_pref("arcadeparlor.settings.addon_data", "hxxp://tt.arcadeparlor.com/cmn?p=YTMxNDI1OTY1OThO9R1joeViM5rBIyGiHiQ%2FCMSFenR%2FSRI%2BIZ3qA4hb8xFV4jfgIrvFAeEUoV9aP3UBp0%2FHtCc
user_pref("browser.startup.homepage", "hxxp://search.conduit.com/?ctid=CT3319613&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SPF60EF8A1-6A4C-47A8-871D-8F586288F85C&SSP
user_pref("browser.newtab.url", "hxxp://search.conduit.com/?ctid=CT3319613&octid=EB_ORIGINAL_CTID&SearchSource=69&CUI=&SSPV=C29650A_sp_ff&Lay=1&UM=4&UP=SPF60EF8A1-6A4C-47A8-87
Emptied folder: C:\Users\Mams Speed Machine\AppData\Roaming\mozilla\firefox\profiles\35smt0z2.default\minidumps [6 files]

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 02/14/2014 at 11:42:02.58
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

Attached is the log from Adwcleaner. Thanks so much! :)

Attached Files



#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:58 PM

Posted 14 February 2014 - 12:52 PM

that looks like a lot of junk was cleared, please do the following:
  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT

Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, if it shows a screen that says "Threats found!", then click "List of found threats" button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Tsuki17

Tsuki17
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:58 PM

Posted 14 February 2014 - 09:59 PM

MBAM did need to restart to finish. Here is it's report:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.02.14.10

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Mams Speed Machine :: MAMSSPEEDMAC-PC [administrator]

2/14/2014 6:36:45 PM
mbam-log-2014-02-14 (18-36-45).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 221939
Time elapsed: 6 minute(s), 20 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 4
HKCR\AppID\{384997EE-E3BE-49C4-9ECA-C62B7C08128A} (PUP.Optional.DynConIE.A) -> Quarantined and deleted successfully.
HKCR\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6} (PUP.Optional.DynConIE.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Classes\AppID\DynConIE.DLL (PUP.Optional.DynConIE.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\igjjkeeamkpihpncmmbgdkhdnjpcfmfb (PUP.Optional.MultiIE) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Users\Mams Speed Machine\AppData\Local\temp\CT3319613 (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

Files Detected: 7
C:\$RECYCLE.BIN\S-1-5-21-575212393-84608004-1612600079-1000\$RT2EXUI.exe (PUP.Optional.SafeInstall.A) -> Quarantined and deleted successfully.
C:\Users\Mams Speed Machine\AppData\Local\temp\nsv6F39\SpSetup.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Mams Speed Machine\Local Settings\Temporary Internet Files\Content.IE5\769QGL36\PCPerformerSetup.exe (Adware.InstallBrain) -> Quarantined and deleted successfully.
C:\Users\Mams Speed Machine\Local Settings\Temporary Internet Files\Content.IE5\769QGL36\SPSetup[1].exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Mams Speed Machine\Local Settings\Temporary Internet Files\Content.IE5\LLLB6ZLC\InstallConverter_TSV244QM2.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Mams Speed Machine\Local Settings\Temporary Internet Files\Content.IE5\LLLB6ZLC\spstub[1].exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Mams Speed Machine\AppData\Local\temp\CT3319613\ddt.csf (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

(end)

 

 

 

And here is the ESET Scan log:

 

C:\$RECYCLE.BIN\S-1-5-21-575212393-84608004-1612600079-1000\$RKKIMH6.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MapsGalaxy_39EI\Installr\1.bin\39EIPlug.dll.vir Win32/Toolbar.MyWebSearch potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MapsGalaxy_39EI\Installr\1.bin\39EZSETP.dll.vir Win32/Toolbar.MyWebSearch potentially unwanted application
C:\FRST\Quarantine\APNSetup.exe12-02-2014_18-49-08 a variant of Win32/Bundled.Toolbar.Ask.E potentially unsafe application
C:\FRST\Quarantine\NP39EISB.dll12-02-2014_18-49-07 Win32/Toolbar.MyWebSearch potentially unwanted application
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\Main\bin\CltMngSvc.exe a variant of Win32/Conduit.SearchProtect.H potentially unwanted application
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\Main\bin\SPTool.dll a variant of Win32/Conduit.SearchProtect.H potentially unwanted application
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\Main\bin\uninstall.exe a variant of Win32/Conduit.SearchProtect.H potentially unwanted application
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\SearchProtect\bin\cltmng.exe a variant of Win32/Conduit.SearchProtect.I potentially unwanted application
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\SearchProtect\bin\SPTool64.exe a variant of Win64/Conduit.SearchProtect.A potentially unwanted application
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\SearchProtect\bin\SPVC32.dll a variant of Win32/Conduit.SearchProtect.H potentially unwanted application
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\SearchProtect\bin\SPVC32Loader.dll a variant of Win32/Conduit.SearchProtect.H potentially unwanted application
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\SearchProtect\bin\SPVC64.dll a variant of Win64/Conduit.SearchProtect.A potentially unwanted application
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\SearchProtect\bin\SPVC64Loader.dll a variant of Win64/Conduit.SearchProtect.A potentially unwanted application
C:\FRST\Quarantine\SearchProtect12-02-2014_18-49-08\UI\bin\cltmngui.exe a variant of Win32/Conduit.SearchProtect.I potentially unwanted application
C:\FRST\Quarantine\Websteroids12-02-2014_18-49-09\IE\common.dll a variant of Win32/ExFriendAlert.B potentially unwanted application
C:\Users\Mams Speed Machine\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\120925204305562.rsc a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Windows\Installer\MSI671E.tmp a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
 

 

 

Is the Conduit thing showing the one that I always here about that's so bad?

 

Ah no... that one that eset shows, the AVG PC Tuneup is something she downloaded and paid for from an ad on aol about a year ago, is it really a trojan downloader?



#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:58 PM

Posted 15 February 2014 - 06:59 PM

You need to empty the recycle bin, then delete the following:

C:\Windows\Installer\MSI671E.tmp

She can keep the PC Tuneup 2011 if she wishes to, the installer comes bundled with adware, but as it's installed already that's no concern, but to be honest I doubt that does much for her machine.

The rest of the detections are in quarantine already so can't hurt the computer.

How is the computer running now, are there any outstanding issues?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 Tsuki17

Tsuki17
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:58 PM

Posted 16 February 2014 - 12:23 AM

Crazy, crazy weather/nature.... we had an earthquake last night! lol

 

Hmmmm I can't locate   C:\Windows\Installer\MSI671E.tmp    no matter how I search for it. I'm not sure what to do about that. 

 

So the PC Tuneup won't continue to add things anymore? That's good. :) Honestly, I don't think she's used this even once. I might see if she'll let me uninstall it. I know she d/l it originally because she was concerned about her computer being slow, but that turned about to be malware then as well.

 

The computer seems to be running great now. The only other thing that started recently and seemed odd to me was that when she starts her computer up you can hear the cpu and fans whirring loudly in the tower. I started the task manager and as it's loading up the startup programs it's maxing out cpu usage and the resource moniter, all windows on it max out as well. Could that have been from the malware? She barely has anything stored on here so I not it's not overloaded with stuff. Maybe it's just its age. I'm attaching a screen cap of what it looks like.

Attached Files


Edited by Tsuki17, 16 February 2014 - 12:30 AM.


#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:58 PM

Posted 16 February 2014 - 11:28 AM

wow, your weather is crazy!

Take a look at startup lite

StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve performance.

That may help a bit

My apologies C:\Windows\Installer is a hidden system file, so you will need to show hidden files folders and hidden system files.

The noise could also be debris build up, make sure the fans are clear of dust bunnies


Please run the following:

Refer to the ComboFix User's Guide
  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------
NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 Tsuki17

Tsuki17
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:58 PM

Posted 17 February 2014 - 06:05 AM

Thanks for the Startup Lite link! I'll definately use this. :) I found the C:\Windows\Installer\MSI671E.tmp  file, deleted it and emptied the rubbish bin.

 

Here is the combofix log:

 

ComboFix 14-02-16.01 - Mams Speed Machine 02/16/2014  20:27:25.3.2 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.6133.3868 [GMT -5:00]
Running from: c:\users\Mams Speed Machine\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SysWow64\userinit.exe . . . is infected!!
.
.
(((((((((((((((((((((((((   Files Created from 2014-01-17 to 2014-02-17  )))))))))))))))))))))))))))))))
.
.
2014-02-17 02:32 . 2014-02-17 02:32 -------- d-----w- c:\users\Public\AppData\Local\temp
2014-02-17 02:32 . 2014-02-17 02:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-02-16 05:05 . 2013-12-04 03:28 10315576 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D08011C3-392E-4B1D-BE47-602706C133B7}\mpengine.dll
2014-02-15 00:41 . 2014-02-15 00:41 -------- d-----w- c:\program files (x86)\ESET
2014-02-14 17:04 . 2013-12-04 03:28 10315576 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-02-14 16:44 . 2014-02-14 16:45 -------- d-----w- C:\AdwCleaner
2014-02-14 16:36 . 2014-02-14 16:36 -------- d-----w- c:\windows\ERUNT
2014-02-14 08:06 . 2014-02-05 09:52 86016 ----a-w- c:\windows\system32\jsproxy.dll
2014-02-14 03:35 . 2013-12-05 04:48 1869824 ----a-w- c:\windows\system32\msxml3.dll
2014-02-14 03:35 . 2013-12-05 02:12 1248768 ----a-w- c:\windows\SysWow64\msxml3.dll
2014-02-12 23:20 . 2014-02-12 23:50 -------- d-----w- C:\FRST
2014-02-11 19:43 . 2014-02-11 19:43 -------- d-----w- c:\program files (x86)\InstallConverter
2014-02-10 21:04 . 2014-02-11 05:38 -------- d-----w- c:\programdata\Yahoo!
2014-01-29 19:26 . 2014-01-29 19:26 -------- d-----w- c:\program files\McAfee Security Scan
2014-01-23 23:51 . 2013-10-19 02:01 965000 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3A3EA86F-D73C-4026-80DA-8F93A9771D12}\gapaengine.dll
2014-01-22 23:43 . 2014-01-22 23:48 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2014-01-20 11:18 . 2013-12-19 02:09 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-02-16 08:00 . 2006-11-02 12:35 88567024 ----a-w- c:\windows\system32\mrt.exe
2014-02-05 16:05 . 2012-05-18 17:14 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-02-05 16:05 . 2011-07-10 05:34 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-01-19 07:33 . 2009-10-03 13:00 270496 ------w- c:\windows\system32\MpSigStub.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"HPADVISOR"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2010-06-30 1689144]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-12-04 75016]
"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"UpdatePDIRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"UpdatePSTShortCut"="c:\program files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2009-02-02 210216]
"TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2009-04-10 1328424]
"CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2009-04-10 185640]
"DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-03-19 1148200]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"WinPatrol"="c:\program files (x86)\BillP Studios\WinPatrol\winpatrol.exe" [2013-01-04 404712]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.8.130\SSScheduler.exe [2013-9-6 324320]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WG111v3\WG111v3.exe [2008-6-13 2498560]
PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe -det [2009-2-9 430080]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ    hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2014-02-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-18 16:05]
.
2014-02-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-28 21:46]
.
2014-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-28 21:46]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Remote Software"="c:\program files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe" [2009-02-06 172032]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-05 154648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-05 227352]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-05 202264]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-12-04 186904]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-23 1266912]
"WinPatrol"="c:\program files (x86)\BillP Studios\WinPatrol\WinPatrol.exe" [2013-01-04 404712]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.aol.com/
mStart Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 97.81.22.195 71.92.29.130 24.217.201.67
FF - ProfilePath - c:\users\Mams Speed Machine\AppData\Roaming\Mozilla\Firefox\Profiles\35smt0z2.default\
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?p={searchTerms}&ei=UTF-8&fr=w3i&type=W3i_DS,157,0_0,Search,20140207,20030,0,18,0
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: !HIDDEN! 2010-08-19 20:46; smartwebprinting@hp.com; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
HKLM-Run-SmartMenu - c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
AddRemove-Websteroids - c:\programdata\Websteroids\uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-575212393-84608004-1612600079-1000_Classes\CLSID]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_44_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_44_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_44_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_44_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_44.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_44.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_44.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_44.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2014-02-16  21:34:07
ComboFix-quarantined-files.txt  2014-02-17 02:34
.
Pre-Run: 474,547,531,776 bytes free
Post-Run: 475,695,542,272 bytes free
.
- - End Of File - - CDD17D5910896ED9A149D895D912FCDC
81CD5EC01DB0CE57EDD853F82462EF27
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users