Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Request help to remove Hacktool.Rootkit


  • This topic is locked This topic is locked
7 replies to this topic

#1 CobaltPascal

CobaltPascal

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 06 June 2014 - 08:48 AM

Thank you for the support and help your site provides.  I have searched and reviewed a couple threads on how you have helped others with similar removal and see that your threads contain user PC specific help.

 

Please assist me with repair / removal - or advise if a full wipe and start over is better.  My wife's Gateway Laptop is running Symantec Endpoint Protection and it found Hacktool.Rootkit Infections as well as Trojan.Gpcoder.E and Trojan.Zbot and Downloader.Upatre risks. Some of the identified files are indicated as Cleaned, while some - the status still shows as infected.  These appear in the logs as far back as Feb. then again every scan since a few weeks ago.

 

The Laptop is running XP pro SP3.  And yes, it runs very slow, worst at startup and randomly and at shutdown. 

 

Thank you.  Please let me know what else I can provide to describe my issue.

 

- Cobalt



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,762 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:04 AM

Posted 11 June 2014 - 08:46 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Lets start with this.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the correct version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.

Let me know what problem persists.

#3 CobaltPascal

CobaltPascal
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 12 June 2014 - 04:22 PM

Thank you nasdaq,

 

I did the steps you outlined, and will paste in the logs here below.  After doing these steps I turned on Symantec End Point protection, rebooted, and ran full scan in Symantec. It  found again two instances of the Hacktool.Rootkit, and it cleaned two files in the restore folder.  Next start up it did, quick scan came back clean, but on start up a long time passes between the screen bthe desktop takeackground appearing and the desk top icons etc to show up.

 

I suspect that my problem is still present and that Symantec can not really remove it.  Please advise.

 

Attached File  Addition.txt   28.67KB   0 downloads

 

Here are the logs

Adwcleaner report: 

# AdwCleaner v3.212 - Report created 12/06/2014 at 12:47:09
# Updated 05/06/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Diva - PATERNO2
# Running from : C:\Documents and Settings\Diva\Desktop\adwcleaner_3.212.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

File Found : C:\Documents and Settings\Diva\Application Data\Mozilla\Firefox\Profiles\xtxp73fi.default\searchplugins\ask-web-search.xml
File Found : C:\Documents and Settings\Diva\Application Data\Mozilla\Firefox\Profiles\xtxp73fi.default\searchplugins\Conduit.xml
File Found : C:\Documents and Settings\Diva\Application Data\Mozilla\Firefox\Profiles\xtxp73fi.default\user.js
File Found : C:\END
Folder Found : C:\Documents and Settings\Diva\Application Data\Mozilla\Firefox\Profiles\xtxp73fi.default\CT3279141
Folder Found : C:\Documents and Settings\Diva\Application Data\Mozilla\Firefox\Profiles\xtxp73fi.default\Extensions\{F0E59437-6148-4A98-B0A6-60D557EF57F4}
Folder Found : C:\Documents and Settings\Diva\Application Data\Mozilla\Firefox\Profiles\xtxp73fi.default\Extensions\{f0e59437-6148-4a98-b0a6-60d557ef57f4}
Folder Found : C:\Documents and Settings\Diva\Application Data\Mozilla\Firefox\Profiles\xtxp73fi.default\MyWebFace_5a
Folder Found : C:\Documents and Settings\Diva\Application Data\Mozilla\Firefox\Profiles\xtxp73fi.default\Smartbar
Folder Found : C:\Documents and Settings\Diva\Application Data\SwvUpdater
Folder Found : C:\Documents and Settings\Diva\Local Settings\Application Data\Conduit
Folder Found : C:\Program Files\Conduit

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\APN PIP
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\ConduitSearchScopes
Key Found : HKCU\Software\Cr_Installer
Key Found : HKCU\Software\Crossrider
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{44ED99E2-16A6-4B89-80D6-5B21CF42E78B}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44ED99E2-16A6-4B89-80D6-5B21CF42E78B}
Key Found : HKCU\Software\PriceGong
Key Found : HKCU\Software\SmartBar
Key Found : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Key Found : HKLM\SOFTWARE\Classes\AppID\secman.DLL
Key Found : HKLM\SOFTWARE\Classes\CLSID\{20E1481B-E285-4ABC-ADC7-AE24842B81CD}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Key Found : HKLM\SOFTWARE\Classes\Interface\{0194532A-A99C-4337-937E-2A452C8957BE}
Key Found : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Found : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Found : HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager
Key Found : HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager.1
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{92E5039E-FF1E-4AFB-8F24-87592D20C383}
Key Found : HKLM\Software\Conduit
Key Found : HKLM\Software\InstallIQ
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\464AA55239C100F32AF2D438EDDC0F47
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5652BA3D5FB98AE31B337BF0AF939856
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\86EB95E1AFCBABE3DB9ECCC669B99494
Key Found : HKLM\Software\PIP

***** [ Browsers ] *****

-\\ Internet Explorer v6.0.2900.5512

Setting Found : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page] - hxxp://search.conduit.com?SearchSource=10&CUI=UN18978958622702271&ctid=CT3279141

-\\ Mozilla Firefox v29.0.1 (en-US)

[ File : C:\Documents and Settings\Diva\Application Data\Mozilla\Firefox\Profiles\xtxp73fi.default\prefs.js ]

Line Found : user_pref("CT3279141.1000082.isPlayDisplay", "true");
Line Found : user_pref("CT3279141.1000082.state", "{\"state\":\"stopped\",\"text\":\"1.FM (Cou...\",\"description\":\"1.FM (Country)\",\"url\":\"hxxp://1.fm/wm/energycountry32k.asx\"}");
Line Found : user_pref("CT3279141.ENABALE_HISTORY", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Found : user_pref("CT3279141.ENABLE_RETURN_WEB_SEARCH_ON_THE_PAGE", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Found : user_pref("CT3279141.FF19Solved", "true");
Line Found : user_pref("CT3279141.FirstTime", "true");
Line Found : user_pref("CT3279141.FirstTimeFF3", "true");
Line Found : user_pref("CT3279141.PG_ENABLE", "dHJ1ZQ==");
Line Found : user_pref("CT3279141.PG_ENABLE.enc", "dHJ1ZQ==");
Line Found : user_pref("CT3279141.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3279141&SearchSource=2&CUI=UN22581957912599950&UM=UM_ID&q=");
Line Found : user_pref("CT3279141.UserID", "UN22581957912599950");
Line Found : user_pref("CT3279141.addressBarTakeOverEnabledInHidden", "true");
Line Found : user_pref("CT3279141.autoDisableScopes", -1);
Line Found : user_pref("CT3279141.browser.search.defaultthis.engineName", "true");
Line Found : user_pref("CT3279141.cbfirsttime.enc", "VHVlIEZlYiAxOSAyMDEzIDExOjA3OjA5IEdNVC0wNTAwIChFYXN0ZXJuIFN0YW5kYXJkIFRpbWUp");
Line Found : user_pref("CT3279141.defaultSearch", "true");
Line Found : user_pref("CT3279141.enableAlerts", "always");
Line Found : user_pref("CT3279141.enableFix404ByUser", "TRUE");
Line Found : user_pref("CT3279141.enableSearchFromAddressBar", "true");
Line Found : user_pref("CT3279141.firstTimeDialogOpened", "true");
Line Found : user_pref("CT3279141.fixPageNotFoundError", "true");
Line Found : user_pref("CT3279141.fixPageNotFoundErrorByUser", "true");
Line Found : user_pref("CT3279141.fixPageNotFoundErrorInHidden", "true");
Line Found : user_pref("CT3279141.fixUrls", true);
Line Found : user_pref("CT3279141.homepageuserchanged", true);
Line Found : user_pref("CT3279141.hxxp___api15_starwebnet_com.pid2.enc", "ZDQ1YjlmNWE1NGExN2U5Yw==");
Line Found : user_pref("CT3279141.hxxp___api18_starwebnet_com.pid2.enc", "ZDQ1YjlmNWE1NGExN2U5Yw==");
Line Found : user_pref("CT3279141.hxxp___api19_starwebnet_com.pid2.enc", "ZDQ1YjlmNWE1NGExN2U5Yw==");
Line Found : user_pref("CT3279141.hxxp___api20_starwebnet_com.pid2.enc", "ZDQ1YjlmNWE1NGExN2U5Yw==");
Line Found : user_pref("CT3279141.hxxp___api21_starwebnet_com.pid2.enc", "ZDQ1YjlmNWE1NGExN2U5Yw==");
Line Found : user_pref("CT3279141.hxxp___api6_starwebnet_com.pid2.enc", "ZDQ1YjlmNWE1NGExN2U5Yw==");
Line Found : user_pref("CT3279141.installDate", "19/2/2013 10:50:29");
Line Found : user_pref("CT3279141.installId", "9818");
Line Found : user_pref("CT3279141.installType", "conduitnsisintegration");
Line Found : user_pref("CT3279141.isCheckedStartAsHidden", true);
Line Found : user_pref("CT3279141.isEnableAllDialogs", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Found : user_pref("CT3279141.isFirstTimeToolbarLoading", "false");
Line Found : user_pref("CT3279141.isToolbarShrinked", "{\"dataType\":\"string\",\"data\":\"false\"}");
Line Found : user_pref("CT3279141.keyword", "true");
Line Found : user_pref("CT3279141.lastNewTabSettings", "{\"isEnabled\":true,\"newTabUrl\":\"hxxp://search.conduit.com/?ctid=CT3279141&octid=CT3279141&SearchSource=15&CUI=UN22581957912599950&SSPV=EB_SSPV&Lay=1&UM=U[...]
Line Found : user_pref("CT3279141.lastVersion", "10.14.65.43");
Line Found : user_pref("CT3279141.mam_gk_CouponBuddy_appState.enc", "b24=");
Line Found : user_pref("CT3279141.mam_gk_PriceGong_appState.enc", "b24=");
Line Found : user_pref("CT3279141.mam_gk_appStateReportTime.enc", "MTM2MTI5MDAyODgzMw==");
Line Found : user_pref("CT3279141.mam_gk_appsData.enc", "eyJhcHBzIjpbeyJpZCI6IlByaWNlR29uZyIsInVybCI6Imh0dHA6Ly9wcmljZWdvbmcuY29uZHVpdGFwcHMuY29tL01BTS92MS9odG1sX2NvbXAuaHRtbCIsIm9wdGlvbnNEaWFsb2ciOnsiZGlzcGxheU5h[...]
Line Found : user_pref("CT3279141.mam_gk_appsDefaultEnabled.enc", "bnVsbA==");
Line Found : user_pref("CT3279141.mam_gk_configuration.enc", "eyJjb25maWd1cmF0aW9uIjpbeyJpZCI6IlByaWNlR29uZyIsImNyaXRlcmlhcyI6W3siY3JpdGVyaWFJZCI6IjQzZmVjMDg1LWNkMzktNGQyZi05MDZhLTAyNTdkZjM2YzlhYiIsImRvbWFpbnMiOls[...]
Line Found : user_pref("CT3279141.mam_gk_currentVersion.enc", "MS40LjAuNA==");
Line Found : user_pref("CT3279141.mam_gk_eventsCache.enc", "eyJiNmVkZWE2Yi05MmQ1LTQwOTAtOGMyZS1hNzA0MDg4ZjUwY2MiOnsidG9waWMiOiJzZW5kVXNhZ2UiLCJkYXRhIjpbIldlbGNvbWUiLCJWaWV3Il0sInVuaXF1ZUlkIjoiYjZlZGVhNmItOTJkNS00M[...]
Line Found : user_pref("CT3279141.mam_gk_first_time.enc", "MQ==");
Line Found : user_pref("CT3279141.mam_gk_gadgetOpen.enc", "MQ==");
Line Found : user_pref("CT3279141.mam_gk_installer_preapproved.enc", "ZmFsc2U=");
Line Found : user_pref("CT3279141.mam_gk_lastLoginTime.enc", "MTM2MTI5MDAyODgyOA==");
Line Found : user_pref("CT3279141.mam_gk_localization.enc", "eyJnYWRnZXRDb250ZW50UG9saWN5Ijp7IlRleHQiOiJDb250ZW50IFBvbGljeSJ9LCJnYWRnZXREZXNjcmlwdGlvblByaW1hcnkiOnsiVGV4dCI6IlZhbHVlIEFwcHMgZW5yaWNoZXMgeW91ciB3ZWIg[...]
Line Found : user_pref("CT3279141.mam_gk_pgUnloadedOnce.enc", "dHJ1ZQ==");
Line Found : user_pref("CT3279141.mam_gk_settings1.4.0.4.enc", "eyJTdGF0dXMiOiJzdWNjZWVkZWQiLCJEYXRhIjp7ImludGVydmFsIjoyNDAsInN0YW1wIjoiNjFfLTEiLCJpc1Rlc3QiOmZhbHNlLCJpc1dlbGNvbWVFeHBlcmllbmNlRW5hYmxlZEJ5RGVmYXVsd[...]
Line Found : user_pref("CT3279141.mam_gk_showCloseButton.enc", "dHJ1ZQ==");
Line Found : user_pref("CT3279141.mam_gk_showWelcomeGadget.enc", "ZmFsc2U=");
Line Found : user_pref("CT3279141.mam_gk_userId.enc", "YTgxOTI4MWUtZDkxMy00N2Y0LTg5MTgtYjYzYmNjNzU4NDE2");
Line Found : user_pref("CT3279141.mam_gk_user_apps_selection.enc", "");
Line Found : user_pref("CT3279141.migrateAppsAndComponents", true);
Line Found : user_pref("CT3279141.navigationAliasesJson", "{\"EB_MAIN_FRAME_URL\":\"hxxp%3A%2F%2Fwww.medscape.com%2Fviewarticle%2F779915%3Fnlid%3D28943_1049%26src%3Dwnl_edit_dail\",\"EB_MAIN_FRAME_TITLE\":\"Nicoti[...]
Line Found : user_pref("CT3279141.openThankYouPage", "false");
Line Found : user_pref("CT3279141.openUninstallPage", "true");
Line Found : user_pref("CT3279141.revertSettingsEnabled", "true");
Line Found : user_pref("CT3279141.search.searchAppId", "130028020976478709");
Line Found : user_pref("CT3279141.search.searchCount", "0");
Line Found : user_pref("CT3279141.searchFromAddressBarEnabledByUser", "true");
Line Found : user_pref("CT3279141.searchInNewTabEnabledByUser", "true");
Line Found : user_pref("CT3279141.searchInNewTabEnabledInHidden", "true");
Line Found : user_pref("CT3279141.selectToSearchBoxEnabled", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Found : user_pref("CT3279141.serviceLayer_service_login_isFirstLoginInvoked", "{\"dataType\":\"boolean\",\"data\":\"true\"}");
Line Found : user_pref("CT3279141.serviceLayer_service_login_loginCount", "{\"dataType\":\"number\",\"data\":\"4\"}");
Line Found : user_pref("CT3279141.serviceLayer_service_toolbarGrouping_activeCTID", "{\"dataType\":\"string\",\"data\":\"CT3279141\"}");
Line Found : user_pref("CT3279141.serviceLayer_service_toolbarGrouping_activeDownloadUrl", "{\"dataType\":\"string\",\"data\":\"hxxp://WhiteSmokeB.OurToolbar.com//xpi\"}");
Line Found : user_pref("CT3279141.serviceLayer_service_toolbarGrouping_activeToolbarName", "{\"dataType\":\"string\",\"data\":\"WhiteSmoke B\"}");
Line Found : user_pref("CT3279141.serviceLayer_service_toolbarGrouping_invoked", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Found : user_pref("CT3279141.serviceLayer_services_appTrackingFirstTime_lastUpdate", "1361290019996");
Line Found : user_pref("CT3279141.serviceLayer_services_appsMetadata_lastUpdate", "1361290019979");
Line Found : user_pref("CT3279141.serviceLayer_services_gottenAppsContextMenu_lastUpdate", "1361290019782");
Line Found : user_pref("CT3279141.serviceLayer_services_location_lastUpdate", "1361290017414");
Line Found : user_pref("CT3279141.serviceLayer_services_login_10.14.65.43_lastUpdate", "1361906386874");
Line Found : user_pref("CT3279141.serviceLayer_services_otherAppsContextMenu_lastUpdate", "1361290019890");
Line Found : user_pref("CT3279141.serviceLayer_services_searchAPI_lastUpdate", "1361290017677");
Line Found : user_pref("CT3279141.serviceLayer_services_serviceMap_lastUpdate", "1361891985165");
Line Found : user_pref("CT3279141.serviceLayer_services_setupAPI_lastUpdate", "1361290020030");
Line Found : user_pref("CT3279141.serviceLayer_services_toolbarContextMenu_lastUpdate", "1361290019686");
Line Found : user_pref("CT3279141.serviceLayer_services_toolbarSettings_lastUpdate", "1361906387853");
Line Found : user_pref("CT3279141.serviceLayer_services_translation_lastUpdate", "1361891986594");
Line Found : user_pref("CT3279141.settingsINI", true);
Line Found : user_pref("CT3279141.shouldFirstTimeDialog", "false");
Line Found : user_pref("CT3279141.smartbar.CTID", "CT3279141");
Line Found : user_pref("CT3279141.smartbar.Uninstall", "0");
Line Found : user_pref("CT3279141.smartbar.homepage", true);
Line Found : user_pref("CT3279141.smartbar.isHidden", true);
Line Found : user_pref("CT3279141.smartbar.toolbarName", "WhiteSmoke B ");
Line Found : user_pref("CT3279141.startPage", "true");
Line Found : user_pref("CT3279141.toolbarBornServerTime", "19-2-2013");
Line Found : user_pref("CT3279141.toolbarCurrentServerTime", "26-2-2013");
Line Found : user_pref("CT3279141.toolbarDisabled", "true");
Line Found : user_pref("CT3279141.url_history0001.enc", "aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbTo6OmNsaWNraGFuZGxlcjo6OjEzNjEyOTAzNjMwMDcsLCxodHRwczovL3d3dy5nb29nbGUuY29tOjo6Y2xpY2toYW5kbGVyOjo6MTM2MTI5MDQ4OTM4OSwsLGh0dHBz[...]
Line Found : user_pref("CT3279141_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\":1362059844900,\"isWithState\":\"\",\"timeFromStart\":0,\"timeFromPrev\":0}]");
Line Found : user_pref("Smartbar.ConduitHomepagesList", "");
Line Found : user_pref("Smartbar.ConduitSearchEngineList", "WhiteSmoke B Customized Web Search");
Line Found : user_pref("Smartbar.ConduitSearchUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3279141&SearchSource=2&CUI=UN22581957912599950&UM=UM_ID&q=");
Line Found : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");
Line Found : user_pref("Smartbar.keywordURLSelectedCTID", "CT3279141");
Line Found : user_pref("browser.search.defaultthis.engineName", "WhiteSmoke B Customized Web Search");
Line Found : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3279141&SearchSource=3&q={searchTerms}&CUI=UN22581957912599950");
Line Found : user_pref("extensions.crossrider.bic", "13cf32e55bc7a899aa7d17691448f293");
Line Found : user_pref("extensions.toolbar.mindspark._5aMembers_.BUTTON_STRUCTURE", "[{\"b\":221351749,\"c\":\"mindspark.magnify\",\"p\":\"L.0\"},{\"b\":221351750,\"c\":\"mindspark.entersearchterms\",\"p\":\"L.0.0[...]
Line Found : user_pref("extensions.toolbar.mindspark._5aMembers_.firstKnownVersion", "6.33.3.53973");
Line Found : user_pref("extensions.toolbar.mindspark._5aMembers_.homepage", "hxxp://home.tb.ask.com/index.jhtml?n=780bd862&p2=^GR^xpi000^YYA^");
Line Found : user_pref("extensions.toolbar.mindspark._5aMembers_.initialized", true);
Line Found : user_pref("extensions.toolbar.mindspark._5aMembers_.installation.contextKey", "");
Line Found : user_pref("extensions.toolbar.mindspark._5aMembers_.installation.installDate", "2014042210");
Line Found : user_pref("extensions.toolbar.mindspark._5aMembers_.installation.partnerId", "^GR^xpi000^YYA^");
Line Found : user_pref("extensions.toolbar.mindspark._5aMembers_.installation.partnerSubId", "");
Line Found : user_pref("extensions.toolbar.mindspark._5aMembers_.installation.success", false);
Line Found : user_pref("extensions.toolbar.mindspark._5aMembers_.isCompliantUninstallImplementation", true);
Line Found : user_pref("extensions.toolbar.mindspark._5aMembers_.lastActivePing", "1398175944673");
Line Found : user_pref("extensions.toolbar.mindspark._5aMembers_.lastKnownVersion", "6.33.3.53973");
Line Found : user_pref("extensions.toolbar.mindspark._5aMembers_.options.defaultSearch", false);
Line Found : user_pref("extensions.toolbar.mindspark._5aMembers_.options.homePageEnabled", false);
Line Found : user_pref("extensions.toolbar.mindspark._5aMembers_.options.keywordEnabled", false);
Line Found : user_pref("extensions.toolbar.mindspark._5aMembers_.options.tabEnabled", false);
Line Found : user_pref("extensions.toolbar.mindspark._5aMembers_.partnerPixelFired", false);
Line Found : user_pref("extensions.toolbar.mindspark._5aMembers_.successUrl", "hxxp://home.mywebface.com/");
Line Found : user_pref("extensions.toolbar.mindspark._5aMembers_.toolbarCollapsed", false);
Line Found : user_pref("extensions.toolbar.mindspark._5aMembers_.weather.location", "16801");
Line Found : user_pref("extensions.toolbar.mindspark.hp.enabled", false);
Line Found : user_pref("extensions.toolbar.mindspark.hp.enabled.guid", "");
Line Found : user_pref("extensions.toolbar.mindspark.lastInstalled", "mywebface@mindspark.com");
Line Found : user_pref("smartBar.searchInNewTabOwner", "CT3279141");
Line Found : user_pref("smartbar.conduitHomepageList", "hxxp://search.conduit.com/?ctid=CT3279141&octid=CT3279141&SearchSource=61&CUI=SB_CUI&UM=UM_ID&UP=SP9AB49014-9C0E-4F46-9CBF-2CEBEA16D578,hxxp://search.conduit[...]
Line Found : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3279141&SearchSource=2&CUI=UN22581957912599950&UM=UM_ID&q=");
Line Found : user_pref("smartbar.originalHomepage", "hxxp://search.conduit.com/?ctid=CT3279141&octid=CT3279141&SearchSource=61&CUI=UN22581957912599950&UM=UM_ID&UP=SP9AB49014-9C0E-4F46-9CBF-2CEBEA16D578");
Line Found : user_pref("smartbar.originalSearchAddressUrl", "");
Line Found : user_pref("smartbar.originalSearchEngine", "");

[ File : C:\Documents and Settings\Kid Account\Application Data\Mozilla\Firefox\Profiles\yey15cmy.default\prefs.js ]


[ File : C:\Documents and Settings\Kiran\Application Data\Mozilla\Firefox\Profiles\4qb07wy5.default\prefs.js ]


-\\ Google Chrome v

*************************

AdwCleaner[R0].txt - [18587 octets] - [12/06/2014 12:41:23]
AdwCleaner[R1].txt - [18506 octets] - [12/06/2014 12:47:09]

########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [18567 octets] ##########
 

 

Log after running Adwcleaner Clean step:

# AdwCleaner v3.212 - Report created 12/06/2014 at 12:52:05
# Updated 05/06/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Diva - PATERNO2
# Running from : C:\Documents and Settings\Diva\Desktop\adwcleaner_3.212.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

[x] Not Deleted : C:\Program Files\Conduit
[x] Not Deleted : C:\Documents and Settings\Diva\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\Diva\Application Data\SwvUpdater
Folder Deleted : C:\Documents and Settings\Diva\Application Data\Mozilla\Firefox\Profiles\xtxp73fi.default\MyWebFace_5a
Folder Deleted : C:\Documents and Settings\Diva\Application Data\Mozilla\Firefox\Profiles\xtxp73fi.default\Smartbar
Folder Deleted : C:\Documents and Settings\Diva\Application Data\Mozilla\Firefox\Profiles\xtxp73fi.default\CT3279141
Folder Deleted : C:\Documents and Settings\Diva\Application Data\Mozilla\Firefox\Profiles\xtxp73fi.default\Extensions\{F0E59437-6148-4A98-B0A6-60D557EF57F4}
File Deleted : C:\END
File Deleted : C:\Documents and Settings\Diva\Application Data\Mozilla\Firefox\Profiles\xtxp73fi.default\searchplugins\ask-web-search.xml
[x] Not Deleted : C:\Documents and Settings\Diva\Application Data\Mozilla\Firefox\Profiles\xtxp73fi.default\searchplugins\Conduit.xml
File Deleted : C:\Documents and Settings\Diva\Application Data\Mozilla\Firefox\Profiles\xtxp73fi.default\user.js

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\secman.DLL
Key Deleted : HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager
Key Deleted : HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager.1
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{20E1481B-E285-4ABC-ADC7-AE24842B81CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0194532A-A99C-4337-937E-2A452C8957BE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{92E5039E-FF1E-4AFB-8F24-87592D20C383}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44ED99E2-16A6-4B89-80D6-5B21CF42E78B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{44ED99E2-16A6-4B89-80D6-5B21CF42E78B}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKCU\Software\APN PIP
[x] Not Deleted : HKCU\Software\Conduit
[x] Not Deleted : HKCU\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\Cr_Installer
Key Deleted : HKCU\Software\Crossrider
Key Deleted : HKCU\Software\PriceGong
Key Deleted : HKCU\Software\SmartBar
[x] Not Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\InstallIQ
Key Deleted : HKLM\Software\PIP
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\464AA55239C100F32AF2D438EDDC0F47
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5652BA3D5FB98AE31B337BF0AF939856
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\86EB95E1AFCBABE3DB9ECCC669B99494

***** [ Browsers ] *****

-\\ Internet Explorer v6.0.2900.5512

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]

-\\ Mozilla Firefox v29.0.1 (en-US)

[ File : C:\Documents and Settings\Diva\Application Data\Mozilla\Firefox\Profiles\xtxp73fi.default\prefs.js ]

Line Deleted : user_pref("CT3279141.1000082.isPlayDisplay", "true");
Line Deleted : user_pref("CT3279141.1000082.state", "{\"state\":\"stopped\",\"text\":\"1.FM (Cou...\",\"description\":\"1.FM (Country)\",\"url\":\"hxxp://1.fm/wm/energycountry32k.asx\"}");
Line Deleted : user_pref("CT3279141.ENABALE_HISTORY", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3279141.ENABLE_RETURN_WEB_SEARCH_ON_THE_PAGE", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3279141.FF19Solved", "true");
Line Deleted : user_pref("CT3279141.FirstTime", "true");
Line Deleted : user_pref("CT3279141.FirstTimeFF3", "true");
Line Deleted : user_pref("CT3279141.PG_ENABLE", "dHJ1ZQ==");
Line Deleted : user_pref("CT3279141.PG_ENABLE.enc", "dHJ1ZQ==");
Line Deleted : user_pref("CT3279141.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3279141&SearchSource=2&CUI=UN22581957912599950&UM=UM_ID&q=");
Line Deleted : user_pref("CT3279141.UserID", "UN22581957912599950");
Line Deleted : user_pref("CT3279141.addressBarTakeOverEnabledInHidden", "true");
Line Deleted : user_pref("CT3279141.autoDisableScopes", -1);
Line Deleted : user_pref("CT3279141.browser.search.defaultthis.engineName", "true");
Line Deleted : user_pref("CT3279141.cbfirsttime.enc", "VHVlIEZlYiAxOSAyMDEzIDExOjA3OjA5IEdNVC0wNTAwIChFYXN0ZXJuIFN0YW5kYXJkIFRpbWUp");
Line Deleted : user_pref("CT3279141.defaultSearch", "true");
Line Deleted : user_pref("CT3279141.enableAlerts", "always");
Line Deleted : user_pref("CT3279141.enableFix404ByUser", "TRUE");
Line Deleted : user_pref("CT3279141.enableSearchFromAddressBar", "true");
Line Deleted : user_pref("CT3279141.firstTimeDialogOpened", "true");
Line Deleted : user_pref("CT3279141.fixPageNotFoundError", "true");
Line Deleted : user_pref("CT3279141.fixPageNotFoundErrorByUser", "true");
Line Deleted : user_pref("CT3279141.fixPageNotFoundErrorInHidden", "true");
Line Deleted : user_pref("CT3279141.fixUrls", true);
Line Deleted : user_pref("CT3279141.homepageuserchanged", true);
Line Deleted : user_pref("CT3279141.hxxp___api15_starwebnet_com.pid2.enc", "ZDQ1YjlmNWE1NGExN2U5Yw==");
Line Deleted : user_pref("CT3279141.hxxp___api18_starwebnet_com.pid2.enc", "ZDQ1YjlmNWE1NGExN2U5Yw==");
Line Deleted : user_pref("CT3279141.hxxp___api19_starwebnet_com.pid2.enc", "ZDQ1YjlmNWE1NGExN2U5Yw==");
Line Deleted : user_pref("CT3279141.hxxp___api20_starwebnet_com.pid2.enc", "ZDQ1YjlmNWE1NGExN2U5Yw==");
Line Deleted : user_pref("CT3279141.hxxp___api21_starwebnet_com.pid2.enc", "ZDQ1YjlmNWE1NGExN2U5Yw==");
Line Deleted : user_pref("CT3279141.hxxp___api6_starwebnet_com.pid2.enc", "ZDQ1YjlmNWE1NGExN2U5Yw==");
Line Deleted : user_pref("CT3279141.installDate", "19/2/2013 10:50:29");
Line Deleted : user_pref("CT3279141.installId", "9818");
Line Deleted : user_pref("CT3279141.installType", "conduitnsisintegration");
Line Deleted : user_pref("CT3279141.isCheckedStartAsHidden", true);
Line Deleted : user_pref("CT3279141.isEnableAllDialogs", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3279141.isFirstTimeToolbarLoading", "false");
Line Deleted : user_pref("CT3279141.isToolbarShrinked", "{\"dataType\":\"string\",\"data\":\"false\"}");
Line Deleted : user_pref("CT3279141.keyword", "true");
Line Deleted : user_pref("CT3279141.lastNewTabSettings", "{\"isEnabled\":true,\"newTabUrl\":\"hxxp://search.conduit.com/?ctid=CT3279141&octid=CT3279141&SearchSource=15&CUI=UN22581957912599950&SSPV=EB_SSPV&Lay=1&UM=U[...]
Line Deleted : user_pref("CT3279141.lastVersion", "10.14.65.43");
Line Deleted : user_pref("CT3279141.mam_gk_CouponBuddy_appState.enc", "b24=");
Line Deleted : user_pref("CT3279141.mam_gk_PriceGong_appState.enc", "b24=");
Line Deleted : user_pref("CT3279141.mam_gk_appStateReportTime.enc", "MTM2MTI5MDAyODgzMw==");
Line Deleted : user_pref("CT3279141.mam_gk_appsData.enc", "eyJhcHBzIjpbeyJpZCI6IlByaWNlR29uZyIsInVybCI6Imh0dHA6Ly9wcmljZWdvbmcuY29uZHVpdGFwcHMuY29tL01BTS92MS9odG1sX2NvbXAuaHRtbCIsIm9wdGlvbnNEaWFsb2ciOnsiZGlzcGxheU5h[...]
Line Deleted : user_pref("CT3279141.mam_gk_appsDefaultEnabled.enc", "bnVsbA==");
Line Deleted : user_pref("CT3279141.mam_gk_configuration.enc", "eyJjb25maWd1cmF0aW9uIjpbeyJpZCI6IlByaWNlR29uZyIsImNyaXRlcmlhcyI6W3siY3JpdGVyaWFJZCI6IjQzZmVjMDg1LWNkMzktNGQyZi05MDZhLTAyNTdkZjM2YzlhYiIsImRvbWFpbnMiOls[...]
Line Deleted : user_pref("CT3279141.mam_gk_currentVersion.enc", "MS40LjAuNA==");
Line Deleted : user_pref("CT3279141.mam_gk_eventsCache.enc", "eyJiNmVkZWE2Yi05MmQ1LTQwOTAtOGMyZS1hNzA0MDg4ZjUwY2MiOnsidG9waWMiOiJzZW5kVXNhZ2UiLCJkYXRhIjpbIldlbGNvbWUiLCJWaWV3Il0sInVuaXF1ZUlkIjoiYjZlZGVhNmItOTJkNS00M[...]
Line Deleted : user_pref("CT3279141.mam_gk_first_time.enc", "MQ==");
Line Deleted : user_pref("CT3279141.mam_gk_gadgetOpen.enc", "MQ==");
Line Deleted : user_pref("CT3279141.mam_gk_installer_preapproved.enc", "ZmFsc2U=");
Line Deleted : user_pref("CT3279141.mam_gk_lastLoginTime.enc", "MTM2MTI5MDAyODgyOA==");
Line Deleted : user_pref("CT3279141.mam_gk_localization.enc", "eyJnYWRnZXRDb250ZW50UG9saWN5Ijp7IlRleHQiOiJDb250ZW50IFBvbGljeSJ9LCJnYWRnZXREZXNjcmlwdGlvblByaW1hcnkiOnsiVGV4dCI6IlZhbHVlIEFwcHMgZW5yaWNoZXMgeW91ciB3ZWIg[...]
Line Deleted : user_pref("CT3279141.mam_gk_pgUnloadedOnce.enc", "dHJ1ZQ==");
Line Deleted : user_pref("CT3279141.mam_gk_settings1.4.0.4.enc", "eyJTdGF0dXMiOiJzdWNjZWVkZWQiLCJEYXRhIjp7ImludGVydmFsIjoyNDAsInN0YW1wIjoiNjFfLTEiLCJpc1Rlc3QiOmZhbHNlLCJpc1dlbGNvbWVFeHBlcmllbmNlRW5hYmxlZEJ5RGVmYXVsd[...]
Line Deleted : user_pref("CT3279141.mam_gk_showCloseButton.enc", "dHJ1ZQ==");
Line Deleted : user_pref("CT3279141.mam_gk_showWelcomeGadget.enc", "ZmFsc2U=");
Line Deleted : user_pref("CT3279141.mam_gk_userId.enc", "YTgxOTI4MWUtZDkxMy00N2Y0LTg5MTgtYjYzYmNjNzU4NDE2");
Line Deleted : user_pref("CT3279141.mam_gk_user_apps_selection.enc", "");
Line Deleted : user_pref("CT3279141.migrateAppsAndComponents", true);
Line Deleted : user_pref("CT3279141.navigationAliasesJson", "{\"EB_MAIN_FRAME_URL\":\"hxxp%3A%2F%2Fwww.medscape.com%2Fviewarticle%2F779915%3Fnlid%3D28943_1049%26src%3Dwnl_edit_dail\",\"EB_MAIN_FRAME_TITLE\":\"Nicoti[...]
Line Deleted : user_pref("CT3279141.openThankYouPage", "false");
Line Deleted : user_pref("CT3279141.openUninstallPage", "true");
Line Deleted : user_pref("CT3279141.revertSettingsEnabled", "true");
Line Deleted : user_pref("CT3279141.search.searchAppId", "130028020976478709");
Line Deleted : user_pref("CT3279141.search.searchCount", "0");
Line Deleted : user_pref("CT3279141.searchFromAddressBarEnabledByUser", "true");
Line Deleted : user_pref("CT3279141.searchInNewTabEnabledByUser", "true");
Line Deleted : user_pref("CT3279141.searchInNewTabEnabledInHidden", "true");
Line Deleted : user_pref("CT3279141.selectToSearchBoxEnabled", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3279141.serviceLayer_service_login_isFirstLoginInvoked", "{\"dataType\":\"boolean\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3279141.serviceLayer_service_login_loginCount", "{\"dataType\":\"number\",\"data\":\"4\"}");
Line Deleted : user_pref("CT3279141.serviceLayer_service_toolbarGrouping_activeCTID", "{\"dataType\":\"string\",\"data\":\"CT3279141\"}");
Line Deleted : user_pref("CT3279141.serviceLayer_service_toolbarGrouping_activeDownloadUrl", "{\"dataType\":\"string\",\"data\":\"hxxp://WhiteSmokeB.OurToolbar.com//xpi\"}");
Line Deleted : user_pref("CT3279141.serviceLayer_service_toolbarGrouping_activeToolbarName", "{\"dataType\":\"string\",\"data\":\"WhiteSmoke B\"}");
Line Deleted : user_pref("CT3279141.serviceLayer_service_toolbarGrouping_invoked", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3279141.serviceLayer_services_appTrackingFirstTime_lastUpdate", "1361290019996");
Line Deleted : user_pref("CT3279141.serviceLayer_services_appsMetadata_lastUpdate", "1361290019979");
Line Deleted : user_pref("CT3279141.serviceLayer_services_gottenAppsContextMenu_lastUpdate", "1361290019782");
Line Deleted : user_pref("CT3279141.serviceLayer_services_location_lastUpdate", "1361290017414");
Line Deleted : user_pref("CT3279141.serviceLayer_services_login_10.14.65.43_lastUpdate", "1361906386874");
Line Deleted : user_pref("CT3279141.serviceLayer_services_otherAppsContextMenu_lastUpdate", "1361290019890");
Line Deleted : user_pref("CT3279141.serviceLayer_services_searchAPI_lastUpdate", "1361290017677");
Line Deleted : user_pref("CT3279141.serviceLayer_services_serviceMap_lastUpdate", "1361891985165");
Line Deleted : user_pref("CT3279141.serviceLayer_services_setupAPI_lastUpdate", "1361290020030");
Line Deleted : user_pref("CT3279141.serviceLayer_services_toolbarContextMenu_lastUpdate", "1361290019686");
Line Deleted : user_pref("CT3279141.serviceLayer_services_toolbarSettings_lastUpdate", "1361906387853");
Line Deleted : user_pref("CT3279141.serviceLayer_services_translation_lastUpdate", "1361891986594");
Line Deleted : user_pref("CT3279141.settingsINI", true);
Line Deleted : user_pref("CT3279141.shouldFirstTimeDialog", "false");
Line Deleted : user_pref("CT3279141.smartbar.CTID", "CT3279141");
Line Deleted : user_pref("CT3279141.smartbar.Uninstall", "0");
Line Deleted : user_pref("CT3279141.smartbar.homepage", true);
Line Deleted : user_pref("CT3279141.smartbar.isHidden", true);
Line Deleted : user_pref("CT3279141.smartbar.toolbarName", "WhiteSmoke B ");
Line Deleted : user_pref("CT3279141.startPage", "true");
Line Deleted : user_pref("CT3279141.toolbarBornServerTime", "19-2-2013");
Line Deleted : user_pref("CT3279141.toolbarCurrentServerTime", "26-2-2013");
Line Deleted : user_pref("CT3279141.toolbarDisabled", "true");
Line Deleted : user_pref("CT3279141.url_history0001.enc", "aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbTo6OmNsaWNraGFuZGxlcjo6OjEzNjEyOTAzNjMwMDcsLCxodHRwczovL3d3dy5nb29nbGUuY29tOjo6Y2xpY2toYW5kbGVyOjo6MTM2MTI5MDQ4OTM4OSwsLGh0dHBz[...]
Line Deleted : user_pref("CT3279141_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\":1362059844900,\"isWithState\":\"\",\"timeFromStart\":0,\"timeFromPrev\":0}]");
Line Deleted : user_pref("Smartbar.ConduitHomepagesList", "");
Line Deleted : user_pref("Smartbar.ConduitSearchEngineList", "WhiteSmoke B Customized Web Search");
Line Deleted : user_pref("Smartbar.ConduitSearchUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3279141&SearchSource=2&CUI=UN22581957912599950&UM=UM_ID&q=");
Line Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");
Line Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT3279141");
Line Deleted : user_pref("browser.search.defaultthis.engineName", "WhiteSmoke B Customized Web Search");
Line Deleted : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3279141&SearchSource=3&q={searchTerms}&CUI=UN22581957912599950");
Line Deleted : user_pref("extensions.crossrider.bic", "13cf32e55bc7a899aa7d17691448f293");
Line Deleted : user_pref("extensions.toolbar.mindspark._5aMembers_.BUTTON_STRUCTURE", "[{\"b\":221351749,\"c\":\"mindspark.magnify\",\"p\":\"L.0\"},{\"b\":221351750,\"c\":\"mindspark.entersearchterms\",\"p\":\"L.0.0[...]
Line Deleted : user_pref("extensions.toolbar.mindspark._5aMembers_.firstKnownVersion", "6.33.3.53973");
Line Deleted : user_pref("extensions.toolbar.mindspark._5aMembers_.homepage", "hxxp://home.tb.ask.com/index.jhtml?n=780bd862&p2=^GR^xpi000^YYA^");
Line Deleted : user_pref("extensions.toolbar.mindspark._5aMembers_.initialized", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._5aMembers_.installation.contextKey", "");
Line Deleted : user_pref("extensions.toolbar.mindspark._5aMembers_.installation.installDate", "2014042210");
Line Deleted : user_pref("extensions.toolbar.mindspark._5aMembers_.installation.partnerId", "^GR^xpi000^YYA^");
Line Deleted : user_pref("extensions.toolbar.mindspark._5aMembers_.installation.partnerSubId", "");
Line Deleted : user_pref("extensions.toolbar.mindspark._5aMembers_.installation.success", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._5aMembers_.isCompliantUninstallImplementation", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._5aMembers_.lastActivePing", "1398175944673");
Line Deleted : user_pref("extensions.toolbar.mindspark._5aMembers_.lastKnownVersion", "6.33.3.53973");
Line Deleted : user_pref("extensions.toolbar.mindspark._5aMembers_.options.defaultSearch", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._5aMembers_.options.homePageEnabled", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._5aMembers_.options.keywordEnabled", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._5aMembers_.options.tabEnabled", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._5aMembers_.partnerPixelFired", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._5aMembers_.successUrl", "hxxp://home.mywebface.com/");
Line Deleted : user_pref("extensions.toolbar.mindspark._5aMembers_.toolbarCollapsed", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._5aMembers_.weather.location", "16801");
Line Deleted : user_pref("extensions.toolbar.mindspark.hp.enabled", false);
Line Deleted : user_pref("extensions.toolbar.mindspark.hp.enabled.guid", "");
Line Deleted : user_pref("extensions.toolbar.mindspark.lastInstalled", "mywebface@mindspark.com");
Line Deleted : user_pref("smartBar.searchInNewTabOwner", "CT3279141");
Line Deleted : user_pref("smartbar.conduitHomepageList", "hxxp://search.conduit.com/?ctid=CT3279141&octid=CT3279141&SearchSource=61&CUI=SB_CUI&UM=UM_ID&UP=SP9AB49014-9C0E-4F46-9CBF-2CEBEA16D578,hxxp://search.conduit[...]
Line Deleted : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3279141&SearchSource=2&CUI=UN22581957912599950&UM=UM_ID&q=");
Line Deleted : user_pref("smartbar.originalHomepage", "hxxp://search.conduit.com/?ctid=CT3279141&octid=CT3279141&SearchSource=61&CUI=UN22581957912599950&UM=UM_ID&UP=SP9AB49014-9C0E-4F46-9CBF-2CEBEA16D578");
Line Deleted : user_pref("smartbar.originalSearchAddressUrl", "");
Line Deleted : user_pref("smartbar.originalSearchEngine", "");

[ File : C:\Documents and Settings\Kid Account\Application Data\Mozilla\Firefox\Profiles\yey15cmy.default\prefs.js ]


[ File : C:\Documents and Settings\Kiran\Application Data\Mozilla\Firefox\Profiles\4qb07wy5.default\prefs.js ]


-\\ Google Chrome v

*************************

AdwCleaner[R0].txt - [18587 octets] - [12/06/2014 12:41:23]
AdwCleaner[R1].txt - [18648 octets] - [12/06/2014 12:47:09]
AdwCleaner[S0].txt - [18707 octets] - [12/06/2014 12:52:05]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [18768 octets] ##########

 

FAtbar FRST.txt log:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:12-06-2014 02
Ran by Diva (administrator) on PATERNO2 on 12-06-2014 13:13:25
Running from C:\Documents and Settings\Diva\Desktop\Farbarfrom B
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 6
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
() C:\WINDOWS\system32\WLTRYSVC.EXE
(Broadcom Corporation) C:\WINDOWS\system32\BCMWLTRY.EXE
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(HP) C:\WINDOWS\system32\HPZipm12.exe
(IDT, Inc.) C:\Program Files\IDT\3102013105755\stacsv.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
(Symantec Corporation) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
(Symantec Corporation) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
(Dell Inc.) C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpsp.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray.exe
(Nike) C:\Program Files\Nike\Nike+ Connect\Nike+ Connect daemon.exe
(Nike) C:\Documents and Settings\Diva\Local Settings\Application Data\Nike\Nike+ Connect\Nike+ Connect daemon.exe
(Microsoft Corporation) C:\Program Files\Windows Desktop Search\WindowsSearch.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [ccApp] => C:\Program Files\Common Files\Symantec Shared\ccApp.exe [115560 2009-07-08] (Symantec Corporation)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\qttask.exe [421888 2010-03-17] (Apple Inc.)
HKLM\...\Run: [DLPSP] => C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE [393944 2007-07-25] (Dell Inc.)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray.exe [405504 2007-09-14] (IDT, Inc.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [Nike+ Connect] => C:\Program Files\Nike\Nike+ Connect\Nike+ Connect daemon.exe [70656 2013-12-11] (Nike)
HKLM\...\Run: [KernelFaultCheck] => %systemroot%\system32\dumprep 0 -k
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
HKU\S-1-5-21-1454471165-436374069-527237240-1004\...\Run: [Nike+ Connect] => C:\Documents and Settings\Diva\Local Settings\Application Data\Nike\Nike+ Connect\Nike+ Connect daemon.exe [70656 2013-11-01] (Nike)
HKU\S-1-5-21-1454471165-436374069-527237240-1004\...\MountPoints2: {c5c925de-c486-11e1-b059-000325430188} - G:\KODAK_Camera_Setup_App.exe
HKU\S-1-5-21-1454471165-436374069-527237240-1004\...\MountPoints2: {dc7ff487-4047-11e0-ae6d-000325430188} - E:\LaunchU3.exe -a
HKU\S-1-5-21-1454471165-436374069-527237240-1004\...\MountPoints2: {f72b1c05-16df-11e3-b1a8-000325430188} - F:\TL_Bootstrap.exe
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
ShortcutTarget: Windows Search.lnk -> C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
Startup: C:\Documents and Settings\Kid Account\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
BootExecute:

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x6C0CCB6DB297CB01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
SearchScopes: HKLM - DefaultScope value is missing.
BHO: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
Tcpip\..\Interfaces\{D72D8BE5-ABA6-4B8A-A1E9-AF3D4F794654}: [NameServer]192.168.2.47

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Diva\Application Data\Mozilla\Firefox\Profiles\xtxp73fi.default
FF Homepage: www.google.com
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll ()
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @mcafee.com/McAfeeMssPlugin - C:\Program Files\McAfee Security Scan\3.0.318\npMcAfeeMss.dll (McAfee, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll (Apple Inc.)
FF SearchPlugin: C:\Documents and Settings\Diva\Application Data\Mozilla\Firefox\Profiles\xtxp73fi.default\searchplugins\conduit.xml
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-03-31]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []

========================== Services (Whitelisted) =================

S4 AdvancedSystemCareService6; C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe [464256 2012-10-31] (IObit)
R2 Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [602112 2009-02-25] (ATI Technologies Inc.) [File not signed]
R3 ccEvtMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108392 2009-07-08] (Symantec Corporation)
R3 ccSetMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108392 2009-07-08] (Symantec Corporation)
S3 LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093880 2009-07-13] (Symantec Corporation)
S4 McComponentHostService; C:\Program Files\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)
R2 Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [69632 2004-09-29] (HP) [File not signed]
R2 SmcService; C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe [1864888 2009-09-17] (Symantec Corporation)
S4 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE [341320 2009-09-17] (Symantec Corporation)
R2 STacSV; C:\Program Files\IDT\3102013105755\STacSV.exe [204800 2007-09-14] (IDT, Inc.)
R3 Symantec AntiVirus; C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe [2477304 2009-09-17] (Symantec Corporation)
R2 wltrysvc; C:\WINDOWS\System32\bcmwltry.exe [1134592 2006-10-12] (Broadcom Corporation) [File not signed]

==================== Drivers (Whitelisted) ====================

R3 ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [3565568 2009-02-25] (ATI Technologies Inc.) [File not signed]
S3 COH_Mon; C:\WINDOWS\system32\Drivers\COH_Mon.sys [23888 2009-07-14] (Symantec Corporation)
S2 DgiVecp; C:\WINDOWS\System32\Drivers\DgiVecp.sys [40448 2003-07-29] (DeviceGuys, Inc.) [File not signed]
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376920 2013-11-21] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [108120 2013-11-21] (Symantec Corporation)
S3 HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [51120 2004-10-05] (HP)
S3 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [16496 2004-10-05] (HP)
S3 HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [21744 2004-10-05] (HP)
R3 NAVENG; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20140519.003\NAVENG.SYS [93272 2013-08-22] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20140519.003\NAVEX15.SYS [1612376 2013-08-22] (Symantec Corporation)
S3 rtl8185; C:\WINDOWS\System32\DRIVERS\rtl8185.sys [823936 2009-10-27] (Realtek Semiconductor Corporation                           )
R1 SPBBCDrv; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [421424 2009-08-26] (Symantec Corporation)
R1 SRTSP; C:\WINDOWS\System32\Drivers\SRTSP.SYS [281648 2009-08-25] (Symantec Corporation)
S3 SRTSPL; C:\WINDOWS\System32\Drivers\SRTSPL.SYS [320560 2009-08-25] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\System32\Drivers\SRTSPX.SYS [43696 2009-08-25] (Symantec Corporation)
R3 STHDA; C:\WINDOWS\System32\drivers\sthda.sys [1248056 2007-09-14] (IDT, Inc.)
S3 SWDUMon; C:\WINDOWS\System32\DRIVERS\SWDUMon.sys [13024 2013-02-19] ()
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [124976 2010-03-31] (Symantec Corporation)
R3 SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [26416 2009-09-03] (Symantec Corporation)
R1 SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [188080 2009-09-03] (Symantec Corporation)
S4 SysPlant; C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys [92488 2009-09-17] (Symantec Corporation)
R3 Teefer2; C:\WINDOWS\System32\DRIVERS\teefer2.sys [50064 2009-05-27] (Symantec Corporation)
S3 usbbus; C:\WINDOWS\System32\DRIVERS\lgusbbus.sys [13056 2010-04-13] (LG Electronics Inc.)
S3 UsbDiag; C:\WINDOWS\System32\DRIVERS\lgusbdiag.sys [20864 2010-04-13] (LG Electronics Inc.)
S3 USBModem; C:\WINDOWS\System32\DRIVERS\lgusbmodem.sys [24960 2010-04-13] (LG Electronics Inc.)
R1 WPS; C:\WINDOWS\system32\drivers\wpsdrvnt.sys [42312 2009-09-17] (Symantec Corporation)
R3 WpsHelper; C:\WINDOWS\system32\drivers\WpsHelper.sys [174056 2012-09-30] (Symantec Corporation)
R3 yukonwxp; C:\WINDOWS\System32\DRIVERS\yk51x86.sys [244480 2006-01-23] (Marvell)
S4 IntelIde; No ImagePath
U1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-06-12 13:12 - 2014-06-12 13:13 - 00000000 ____D () C:\FRST
2014-06-12 13:10 - 2014-06-12 13:13 - 00000000 ____D () C:\Documents and Settings\Diva\Desktop\Farbarfrom B
2014-06-12 12:41 - 2014-06-12 12:52 - 00000000 ____D () C:\AdwCleaner
2014-06-12 12:37 - 2014-06-12 12:37 - 01333465 _____ () C:\Documents and Settings\Diva\Desktop\adwcleaner_3.212.exe
2014-06-05 11:21 - 2014-06-06 11:01 - 00046640 _____ (Symantec Corporation) C:\WINDOWS\system32\msln.exe
2014-05-14 16:31 - 2014-05-14 16:31 - 00000000 ____D () C:\Program Files\Common Files\DESIGNER

==================== One Month Modified Files and Folders =======

2014-06-12 13:14 - 2010-09-21 09:17 - 00000000 ____D () C:\Documents and Settings\Diva\Local Settings\Temp
2014-06-12 13:13 - 2014-06-12 13:12 - 00000000 ____D () C:\FRST
2014-06-12 13:13 - 2014-06-12 13:10 - 00000000 ____D () C:\Documents and Settings\Diva\Desktop\Farbarfrom B
2014-06-12 13:10 - 2010-03-31 11:50 - 01776495 _____ () C:\WINDOWS\WindowsUpdate.log
2014-06-12 12:58 - 2013-09-03 09:46 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-06-12 12:55 - 2014-03-22 13:30 - 00000220 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2014-06-12 12:55 - 2013-09-03 09:45 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2014-06-12 12:55 - 2013-05-28 10:41 - 00000878 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2014-06-12 12:55 - 2010-03-31 11:58 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-06-12 12:54 - 2010-03-31 11:58 - 00000178 ___SH () C:\Documents and Settings\LocalService\ntuser.ini
2014-06-12 12:53 - 2013-09-03 09:44 - 00032458 _____ () C:\WINDOWS\SchedLgU.Txt
2014-06-12 12:53 - 2010-09-21 09:17 - 00000178 ___SH () C:\Documents and Settings\Diva\ntuser.ini
2014-06-12 12:52 - 2014-06-12 12:41 - 00000000 ____D () C:\AdwCleaner
2014-06-12 12:37 - 2014-06-12 12:37 - 01333465 _____ () C:\Documents and Settings\Diva\Desktop\adwcleaner_3.212.exe
2014-06-12 12:31 - 2014-03-22 13:30 - 00000214 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2014-06-12 12:25 - 2012-05-11 11:28 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2014-06-12 12:24 - 2013-05-28 10:41 - 00000882 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2014-06-12 11:55 - 2008-04-14 08:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-06-06 11:10 - 2010-09-21 09:17 - 00000000 ____D () C:\Documents and Settings\Diva
2014-06-06 11:01 - 2014-06-05 11:21 - 00046640 _____ (Symantec Corporation) C:\WINDOWS\system32\msln.exe
2014-06-06 09:20 - 2013-09-02 12:00 - 00377301 _____ () C:\WINDOWS\iis6.log
2014-06-06 09:20 - 2013-09-02 12:00 - 00286368 _____ () C:\WINDOWS\FaxSetup.log
2014-06-06 09:20 - 2013-09-02 12:00 - 00154550 _____ () C:\WINDOWS\ocgen.log
2014-06-06 09:20 - 2013-09-02 12:00 - 00136597 _____ () C:\WINDOWS\tsoc.log
2014-06-06 09:20 - 2013-09-02 12:00 - 00095804 _____ () C:\WINDOWS\comsetup.log
2014-06-06 09:20 - 2013-09-02 12:00 - 00059848 _____ () C:\WINDOWS\ntdtcsetup.log
2014-06-06 09:20 - 2013-09-02 12:00 - 00020543 _____ () C:\WINDOWS\MedCtrOC.log
2014-06-06 09:20 - 2013-09-02 12:00 - 00016336 _____ () C:\WINDOWS\ocmsn.log
2014-06-06 09:20 - 2013-09-02 12:00 - 00014907 _____ () C:\WINDOWS\msgsocm.log
2014-06-06 09:20 - 2013-09-02 12:00 - 00013995 _____ () C:\WINDOWS\tabletoc.log
2014-06-06 09:20 - 2013-09-02 12:00 - 00004507 _____ () C:\WINDOWS\imsins.log
2014-06-06 09:18 - 2013-09-02 12:00 - 00098708 _____ () C:\WINDOWS\msmqinst.log
2014-06-06 09:18 - 2013-09-02 12:00 - 00050598 _____ () C:\WINDOWS\netfxocm.log
2014-06-06 09:18 - 2010-03-31 06:40 - 00556530 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-06-06 09:05 - 2010-09-21 09:17 - 00000000 ___RD () C:\Documents and Settings\Diva\Start Menu\Programs\Accessories
2014-06-06 09:03 - 2010-03-31 06:26 - 00000000 ____D () C:\WINDOWS\Help
2014-06-06 09:02 - 2013-09-17 08:00 - 00080260 _____ () C:\WINDOWS\ie8Uninst.log
2014-06-06 09:02 - 2013-09-02 12:00 - 00001355 _____ () C:\WINDOWS\imsins.BAK
2014-06-06 09:02 - 2010-03-31 14:26 - 00000000 ____D () C:\WINDOWS\ie8updates
2014-06-06 08:52 - 2013-09-02 12:00 - 00095517 _____ () C:\WINDOWS\updspapi.log
2014-06-06 08:47 - 2013-09-06 06:35 - 00087653 _____ () C:\WINDOWS\setupapi.log
2014-06-06 08:46 - 2012-09-11 11:14 - 00000000 ____D () C:\Program Files\Hewlett-Packard
2014-06-06 08:46 - 2012-09-11 11:14 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\HP
2014-05-22 21:25 - 2013-09-08 13:51 - 00489586 _____ () C:\Incoming Mails.csv
2014-05-22 08:39 - 2010-03-31 11:58 - 00000000 __SHD () C:\Documents and Settings\LocalService
2014-05-20 11:38 - 2013-07-31 09:59 - 00000000 ____D () C:\Documents and Settings\Diva\Desktop\current newsletter materials
2014-05-20 10:49 - 2011-01-20 11:08 - 00000000 ____D () C:\Documents and Settings\Diva\Desktop\SAGE FILES
2014-05-16 12:23 - 2011-06-23 18:10 - 00002347 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
2014-05-16 12:22 - 2011-06-23 18:09 - 00000000 ____D () C:\Program Files\Common Files\Adobe
2014-05-14 16:38 - 2010-03-31 15:02 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Microsoft Help
2014-05-14 16:37 - 2013-09-02 12:05 - 00000000 ____D () C:\WINDOWS\system32\MRT
2014-05-14 16:32 - 2010-03-31 14:24 - 90547776 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2014-05-14 16:31 - 2014-05-14 16:31 - 00000000 ____D () C:\Program Files\Common Files\DESIGNER
2014-05-14 14:17 - 2014-01-03 16:20 - 00000000 ____D () C:\Documents and Settings\Diva\Desktop\car wash
2014-05-14 14:16 - 2014-04-03 16:05 - 00000000 ____D () C:\Documents and Settings\Diva\Desktop\5th grade party
2014-05-14 14:16 - 2013-11-12 12:45 - 00000000 ____D () C:\Documents and Settings\Diva\Desktop\pix not yet used
2014-05-14 14:14 - 2011-01-26 11:05 - 00931342 ___SH () C:\Documents and Settings\Diva\Desktop\Thumbs.db

Some content of TEMP:
====================
C:\Documents and Settings\Diva\Local Settings\Temp\Quarantine.exe


==================== Bamital & volsnap Check =================

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================
 

 

 

 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,762 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:04 AM

Posted 13 June 2014 - 07:11 AM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start
SearchScopes: HKLM - DefaultScope value is missing.
FF SearchPlugin: C:\Documents and Settings\Diva\Application Data\Mozilla\Firefox\Profiles\xtxp73fi.default\searchplugins\conduit.xml
S4 IntelIde; No ImagePath
U1 WS2IFSL;

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

Let me know what problem persists.

#5 CobaltPascal

CobaltPascal
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 13 June 2014 - 11:28 AM

Nasdaq,

I performed the steps you directed, and after that did restart and did run Symantec EP full again, It again - still boots up, and shows the screen background image but takes several minutes to show the desktop items and the start button nd lower tray icons.  The full scan again reveals the same two files as Hacktool.Rootkit, says "Primary Action -  Restart Required Cleaned Security Risk"  and Secondary Action - Restart Required Quarantined".

 

The two files are

A0238859.sys

Ao238860.sys

and both are located in the same folder 

C:\System Volume Information\-restore{52960AD1-E06B-4B7E-8B05-A5E5C3829072}\RP632\

 

The logs / files you requested are posted below.  Thank you again for your assistance.al

 

- CobaltPascal

 

Fixlog.txt

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:12-06-2014 02
Ran by Diva at 2014-06-13 10:21:31 Run:1
Running from C:\Documents and Settings\Diva\Desktop\Farbarfrom B
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
SearchScopes: HKLM - DefaultScope value is missing.
FF SearchPlugin: C:\Documents and Settings\Diva\Application Data\Mozilla\Firefox\Profiles\xtxp73fi.default\searchplugins\conduit.xml
S4 IntelIde; No ImagePath
U1 WS2IFSL;

End
*****************

HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
C:\Documents and Settings\Diva\Application Data\Mozilla\Firefox\Profiles\xtxp73fi.default\searchplugins\conduit.xml => Moved successfully.
IntelIde => Service deleted successfully.
WS2IFSL => Service deleted successfully.

==== End of Fixlog ====

 

Checkup.txt:

 Results of screen317's Security Check version 0.99.84  
 Windows XP Service Pack 3 x86   
 Internet Explorer 6 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Please wait while WMIC is being installed.d
i
s
p
l
a
y
N
a
m
e
ECHO is off.
S
y
m
a
n
t
e
c
ECHO is off.
E
n
d
p
o
i
n
t
ECHO is off.
P
r
o
t
e
c
t
i
o
n
ECHO is off.
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
  Adobe Flash Player     11.7.700.202 Flash Player out of Date!  
 Adobe Reader 10.1.10 Adobe Reader out of Date!  
 Mozilla Firefox (29.0.1)
````````Process Check: objlist.exe by Laurent````````  
 Norton ccSvcHst.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 6%
````````````````````End of Log``````````````````````
 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,762 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:04 AM

Posted 13 June 2014 - 01:48 PM

The two files are
A0238859.sys
Ao238860.sys
and both are located in the same folder
C:\System Volume Information\-restore{52960AD1-E06B-4B7E-8B05-A5E5C3829072}\RP632\


The safest way is to go to "My Computer" > right click the C: drive > Properties > Disk Cleanup > Advanced > and Delete all restore points except the most recent.

If that fails to remove the culprit.

Find System Restore on your Start Menu and disable the it. All points will be lost. Then re-enable.

----

Critical vulnerabilities have been identified in old version of Adobe Flash Player please get the latest version.

Flash test site:
http://www.adobe.com/software/flash/about/
Install the new version or if you have the latest close the windows.

Flash Player Help / Find version
http://helpx.adobe.com/flash-player/kb/find-version-flash-player.html#main_Find_the_Flash_Player_version_installed_on_your_machine

===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
<<<>>>

Keep me posted.

#7 CobaltPascal

CobaltPascal
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 18 June 2014 - 01:45 PM

nasdaq,

 

Thank you again for your excellent help.  I followed your instructions, and all seems fine now for several days in a row!  Let's call this solved successfully.  Much appreciated.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,762 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:04 AM

Posted 19 June 2014 - 07:25 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users