Laptop is infected!

[Baxthar]

Hello, my mother traded her laptop for my cousins desktop. All went well until my cousin downloaded BearShare and ruined the laptop, I can only use it in safe mode. When I try to start it up normally I get a pink screen straight after the login screen and then it loads to the desktop but then stops working.

DDS.txt:

DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK

Internet Explorer: 9.0.7930.16406 BrowserJavaVersion: 1.6.0_33

Run by D Clark at 10:38:32 on 2012-09-20

Microsoft Windows 7 Starter 6.1.7600.0.1252.44.1033.18.1012.500 [GMT 1:00]

.

AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\Explorer.EXE

C:\Windows\system32\ctfmon.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2790392

uURLSearchHooks: H - No File

uURLSearchHooks: H - No File

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: Soda PDF Helper: {5cfcaff6-5bb0-4864-b626-021c99ed82e5} - c:\program files\soda pdf\PDFIEHelper.dll

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Soda PDF Toolbar: {980eb9ec-6eb5-4258-bddb-efe25c5f99ef} - c:\program files\soda pdf\PDFIEPlugin.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {7846AE31-BEA2-438A-8F5E-2D899361656C} - No File

TB: {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No File

EB: {E4770E5C-7097-468F-B71D-576096DA4D55} - No File

uRun: [MyBrowserCash Automatic Updater] c:\windows\system32\MyBrowserCashUpdater.exe

uRun: [Google Update] "c:\users\d clark\appdata\local\google\update\GoogleUpdate.exe" /c

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun

uRun: [MyBrowserCash] c:\program files\mybrowsercash\MyBrowserCash.exe

mRun: [<NO NAME>]

mRun: [avast] "c:\program files\alwil software\avast5\avastUI.exe" /nogui

mRun: [ZumoDrive] "c:\program files\hewlett-packard\hp clouddrive\ZumoLauncher.lnk"

mRun: [sysTrayApp] c:\program files\idt\wdm\sttray.exe

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [HPWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\delayedappstarter.exe 120 c:\program files\hewlett-packard\hp wireless assistant\HPWA_Main.exe /hidden

mRun: [HP Quick Launch] c:\program files\hewlett-packard\hp quick launch\HPMSGSVC.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin

mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "c:\programdata\malwarebytes\malwarebytes' anti-malware\cleanup.dll",ProcessCleanupScript

StartupFolder: c:\users\dclark~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\cashfi~1.lnk - c:\users\d clark\appdata\roaming\cashfiesta\fiestabar\Cashfiesta.exe

StartupFolder: c:\users\dclark~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe

StartupFolder: c:\users\dclark~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\common files\microsoft shared\virtualization handler\CVH.EXE

StartupFolder: c:\users\dclark~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpmedi~1.lnk - c:\program files\hewlett-packard\hp media suite\home\ArcStart.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office12\EXCEL.EXE/3000

IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{2003967A-10CD-4968-8782-C6CB7D90829A} : NameServer = 174.114.184.185

TCP: Interfaces\{5BB0C966-878B-4648-9131-A887EABD5533} : DhcpNameServer = 192.168.0.1

TCP: Interfaces\{5BB0C966-878B-4648-9131-A887EABD5533}\245626F687039363034363 : DhcpNameServer = 192.168.1.254

TCP: Interfaces\{5BB0C966-878B-4648-9131-A887EABD5533}\35B4959383635313 : DhcpNameServer = 192.168.0.1

TCP: Interfaces\{5BB0C966-878B-4648-9131-A887EABD5533}\4514C4B44514C4B4D2242463533303 : DhcpNameServer = 192.168.1.1 192.168.1.1

TCP: Interfaces\{5BB0C966-878B-4648-9131-A887EABD5533}\4514C4B44514C4B4D2342483646323 : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{5BB0C966-878B-4648-9131-A887EABD5533}\F42377962756C6563737648364736333 : DhcpNameServer = 192.168.1.254

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: ;??

mASetup: {4FB2407C-C8E4-BBC8-BB1C-FCCB2EF5914B} - c:\program files\hewlett-packard\hp media suite\home\HPMediaSuite.exe "/installer"

mASetup: {4FB2AA7C-C8E4-BBC8-BB1C-FAAB2EF5914B} - c:\windows\system32\wscript.exe "c:\program files\hewlett-packard\hp media suite\home\PinItem.vbs"

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\d clark\appdata\roaming\mozilla\firefox\profiles\fsbnc3b0.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1734448&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - Free Traffic Bar Customized Web Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\progra~1\mif5ba~1\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll

FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll

FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_HBLiteSA.dll

FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll

FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\users\d clark\appdata\local\google\update\1.3.21.115\npGoogleUpdate3.dll

FF - plugin: c:\windows\system32\npdeployJava1.dll

FF - plugin: c:\windows\system32\npmproxy.dll

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

============= SERVICES / DRIVERS ===============

.

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]

S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-5-17 721000]

S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-10-26 353688]

S1 DVMIO;DeviceVM IO Service;c:\windows\system32\drivers\dvmio.sys [2009-11-11 18136]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-7-27 63960]

S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_0cefa6767c6211ec\AEstSrv.exe [2009-3-3 81920]

S2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2010-11-16 29416]

S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-10-26 21256]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-10-26 57656]

S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2012-7-4 44808]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2012-1-4 822624]

S2 DvmMDES;DeviceVM Meta Data Export Service;c:\swsetup\quickweb\qw.sys\config\DVMExportService.exe [2010-4-1 338168]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-18 136176]

S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\hewlett-packard\hp wireless assistant\HPWA_Service.exe [2010-4-5 103992]

S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\hewlett-packard\shared\HPDrvMntSvc.exe [2010-10-14 92216]

S2 HPWMISVC;HPWMISVC;c:\program files\hewlett-packard\hp quick launch\HPWMISVC.exe [2010-4-9 26168]

S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-9-13 399432]

S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-9-5 676936]

S2 MSSQL$ADCENTERDESKTOP;SQL Server (ADCENTERDESKTOP);c:\program files\microsoft sql server\mssql10_50.adcenterdesktop\mssql\binn\sqlservr.exe [2010-4-3 42884448]

S2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2011-10-1 508776]

S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-15 158856]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2010-6-10 286248]

S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-6-10 33320]

S3 GemCCID;GemCCID;c:\windows\system32\drivers\GemCCID.sys [2009-8-10 89600]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-18 136176]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-9-5 22856]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-28 114144]

S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-6-10 186912]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-6-10 204288]

S3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfslh.sys [2011-10-1 579944]

S3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplaylh.sys [2011-10-1 194408]

S3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2011-10-1 21864]

S3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvollh.sys [2011-10-1 19304]

S3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2011-10-1 219496]

S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]

S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]

S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-13 311296]

S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2010-4-3 44896]

S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [2010-4-3 240608]

S4 SQLAgent$ADCENTERDESKTOP;SQL Server Agent (ADCENTERDESKTOP);c:\program files\microsoft sql server\mssql10_50.adcenterdesktop\mssql\binn\SQLAGENT.EXE [2010-4-3 367456]

.

=============== Created Last 30 ================

.

2012-09-20 09:36:23 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{92604979-3ec0-41e2-97fa-443441a9a38f}\offreg.dll

2012-09-13 17:26:11 -------- d-sh--w- C:\found.007

2012-09-13 13:06:08 -------- d-----w- c:\program files\ESET

2012-09-13 09:41:33 7022536 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{92604979-3ec0-41e2-97fa-443441a9a38f}\mpengine.dll

2012-09-13 09:27:05 -------- d-sh--w- C:\found.006

2012-09-12 09:06:01 -------- d-----w- C:\d3c1cc96e925c0dbe72cd687

2012-09-08 16:15:04 73696 ----a-w- c:\program files\mozilla firefox\breakpadinjector.dll

2012-09-05 09:46:30 -------- d-sh--w- C:\found.005

2012-09-05 00:47:15 -------- d-sh--w- C:\found.004

2012-09-04 23:43:44 -------- d-----w- c:\users\d clark\appdata\roaming\Malwarebytes

2012-09-04 23:43:24 -------- d-----w- c:\programdata\Malwarebytes

2012-09-04 23:43:23 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-04 23:43:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-09-04 23:20:24 -------- d-sh--w- C:\found.003

2012-09-04 22:51:00 -------- d-----w- c:\users\d clark\appdata\roaming\Cashfiesta

2012-09-04 19:09:16 -------- d-sh--w- C:\found.002

2012-09-02 00:07:15 -------- d-----w- c:\programdata\F28C

2012-08-28 23:15:21 -------- d-----w- c:\users\d clark\appdata\roaming\Digital_Paper_Products,_I

2012-08-28 23:15:08 -------- d-----w- c:\users\d clark\appdata\local\Digital_Paper_Products,_I

2012-08-27 22:52:14 -------- d-----w- c:\programdata\boost_interprocess

2012-08-27 22:52:10 -------- d-----w- c:\users\d clark\appdata\roaming\MusicNet

2012-08-27 22:49:40 -------- d-----w- c:\programdata\BearShare

2012-08-27 22:48:45 -------- dc-h--w- c:\programdata\{D79D348D-B804-455D-BF34-7E3989C8E84D}

.

==================== Find3M ====================

.

2012-07-18 17:10:29 2344448 ----a-w- c:\windows\system32\win32k.sys

2012-07-06 19:31:59 393216 ----a-w- c:\windows\system32\drivers\bthport.sys

2012-07-04 21:23:55 41472 ----a-w- c:\windows\system32\browcli.dll

2012-07-04 21:23:55 102912 ----a-w- c:\windows\system32\browser.dll

2012-07-03 16:21:53 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2012-07-03 16:21:53 57656 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2012-07-03 16:21:53 44784 ----a-w- c:\windows\system32\drivers\aswRdr2.sys

2012-07-03 16:21:32 41224 ----a-w- c:\windows\avastSS.scr

2012-06-27 12:14:01 476936 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-06-27 12:14:01 472840 ----a-w- c:\windows\system32\deployJava1.dll

.

============= FINISH: 10:40:45.23 ===============

Attach.txt

ark.txt

[Maniac]

Hello Baxthar and ! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  

If you want help here, tell BC Team, you already get help here.

http://www.bleepingcomputer.com/forums/topic469250.html

[Baxthar]

Hello Baxthar and ! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  

If you want help here, tell BC Team, you already get help here.

http://www.bleepingc...opic469250.html

Ok I have posted on my thread at BleepingComputer, thank you for responding to my thread.

[Maniac]

Thanks!

Step 1

Please uninstall the following applications:

Casino Riva

Casino.com

MyBrowserCash version 2.0

OnlineCasinoCentral.com

Roulette Bot Plus

Plaza Win

Swiss Casino

Step 2

• Launch Malwarebytes' Anti-Malware
  
• Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  
• Go to Scanner tab and select Perform Quick Scan, then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 3

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply

In your next reply, post the following log files:

• Malwarebytes' Anti-Malware log
  
• aswMBR log
  
• a new fresh DDS log

[Baxthar]

Step 1:

Done

---

I scanned the laptop the other day with MBAM on fullscan and there where 11 infections but I removed them. (didn't help the laptop at all though)

Step 2:

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.23.02

Windows 7 x86 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.7930.16406
D Clark :: DCLARK-PC [administrator]

23/09/2012 12:18:22
mbam-log-2012-09-23 (12-18-22).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 232973
Time elapsed: 11 minute(s), 28 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

---

Step 3:

Laptop blue screened while scanning with aswMBR.

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-09-23 12:40:25
-----------------------------
12:40:25.860    OS Version: Windows 6.1.7600 
12:40:25.860    Number of processors: 2 586 0x1C0A
12:40:25.860    ComputerName: DCLARK-PC  UserName: D Clark
12:40:38.855    Initialize success
12:40:40.088    AVAST engine defs: 12091300
12:40:42.225    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
12:40:42.225    Disk 0 Vendor: ST925041 0006 Size: 238475MB BusType: 3
12:40:42.240    Disk 0 MBR read successfully
12:40:42.256    Disk 0 MBR scan
12:40:42.552    Disk 0 unknown MBR code
12:40:42.599    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          199 MB offset 2048
12:40:42.942    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       222777 MB offset 409600
12:40:42.989    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        15394 MB offset 456656896
12:40:43.005    Disk 0 Partition 4 00     0C    FAT32 LBA MSDOS5.0      103 MB offset 488183808
12:40:43.098    Disk 0 scanning sectors +488395120
12:40:43.442    Disk 0 scanning C:\Windows\system32\drivers
12:41:02.380    Service scanning
12:41:28.775    Modules scanning
12:41:32.597    Disk 0 trace - called modules:
12:41:32.644    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll iaStor.sys 
12:41:32.644    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84e4c8f0]
12:41:32.660    3 CLASSPNP.SYS[86d8759e] -> nt!IofCallDriver -> [0x84426c70]
12:41:32.675    5 ACPI.sys[8675f3b2] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x84427028]
12:41:33.253    AVAST engine scan C:\Windows
12:41:35.795    AVAST engine scan C:\Windows\system32
12:45:22.027    AVAST engine scan C:\Windows\system32\drivers
12:45:55.193    AVAST engine scan C:\Users\D Clark
12:57:38.317    AVAST engine scan C:\ProgramData
13:04:17.381    Scan finished successfully
13:08:50.928    Disk 0 MBR has been saved successfully to "C:\Users\D Clark\Downloads\Desktop\MBR.dat"
13:08:50.943    The log file has been saved successfully to "C:\Users\D Clark\Downloads\Desktop\aswMBR.txt"

---

http://uppit.com/c8wl278nyya4/Attach.txt

http://uppit.com/a1yaan22m8x1/DDS.TXT

[Maniac]

Any progress?

[Baxthar]

Any progress?

Nope, whenever I try to go into the normal windows mode It gives me a pink blank screen after the login screen then just sits on the desktop doing nothing. I try to load something up but it just doesn't do anything.

[Baxthar]

Just restarted the laptop and during the blank pink screen I got this error message:

RunDLL:

There was a problem starting C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll

The specified module could not be found.

[Maniac]

Please do the following:

• 
  
• Download and run mbam-clean.exe from here
  
• It will ask to restart your computer, please allow it to do so very important
  
• After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here
  
  • 
    
  • Note: You will need to reactivate the program using the license you were sent via email if using the Pro version
    
  • Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
    Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now setup any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications. You may use the guides posted in the FAQ's here or ask and we'll explain how to do it.
    

[Baxthar]

From what I can tell the explorer.exe crashes whenever I try to start up in normal windows mode.

[Maniac]

Okay, try this:

Note: Please do not run this tool without special supervision and instruction of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

[Baxthar]

Just a quick update, ever since my cousin downloaded BearShare the screen saver has said this:

"The screen saver can't run because it requires a newer video card or one that's compatible with Direct3D."

[Baxthar]

ComboFix.txt:

ComboFix 12-09-23.02 - D Clark 23/09/2012  16:09:38.1.2 - x86 NETWORK
Microsoft Windows 7 Starter   6.1.7600.0.1252.44.1033.18.1012.613 [GMT 1:00]
Running from: c:\users\D Clark\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
[i] ADS - Windows: deleted 24 bytes in 1 streams. [/i]
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\100
c:\users\D Clark\AppData\Local\assembly\tmp
c:\users\D Clark\AppData\Roaming\Cashfiesta
c:\users\D Clark\AppData\Roaming\Cashfiesta\FiestaBar\base_m.swf
c:\users\D Clark\AppData\Roaming\Cashfiesta\FiestaBar\Cashfiesta.exe
c:\users\D Clark\AppData\Roaming\Cashfiesta\FiestaBar\cherry.cfx
c:\users\D Clark\AppData\Roaming\Cashfiesta\FiestaBar\default.cfx
c:\users\D Clark\AppData\Roaming\Cashfiesta\FiestaBar\silver.cfx
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\iun6002.exe
.
.
(((((((((((((((((((((((((   Files Created from 2012-08-23 to 2012-09-23  )))))))))))))))))))))))))))))))
.
.
2012-09-23 15:00 . 2012-09-23 15:00 -------- d-----w- c:\users\D Clark\AppData\Roaming\Malwarebytes
2012-09-23 15:00 . 2012-09-23 15:00 -------- d-----w- c:\programdata\Malwarebytes
2012-09-23 15:00 . 2012-09-23 15:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-23 15:00 . 2012-09-07 16:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-23 15:00 . 2012-09-23 15:00 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{92604979-3EC0-41E2-97FA-443441A9A38F}\offreg.dll
2012-09-13 17:26 . 2012-09-13 17:26 -------- d-----w- C:\found.007
2012-09-13 13:06 . 2012-09-13 13:06 -------- d-----w- c:\program files\ESET
2012-09-13 09:41 . 2012-08-28 00:50 7022536 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{92604979-3EC0-41E2-97FA-443441A9A38F}\mpengine.dll
2012-09-13 09:27 . 2012-09-13 09:27 -------- d-----w- C:\found.006
2012-09-12 09:06 . 2012-09-12 09:06 -------- d-----w- C:\d3c1cc96e925c0dbe72cd687
2012-09-08 16:15 . 2012-09-08 16:15 73696 ----a-w- c:\program files\Mozilla Firefox\breakpadinjector.dll
2012-09-05 09:46 . 2012-09-05 09:46 -------- d-----w- C:\found.005
2012-09-05 00:47 . 2012-09-05 00:47 -------- d-----w- C:\found.004
2012-09-04 23:20 . 2012-09-04 23:20 -------- d-----w- C:\found.003
2012-09-04 19:09 . 2012-09-04 19:09 -------- d-----w- C:\found.002
2012-09-02 00:07 . 2012-09-02 00:07 -------- d-----w- c:\programdata\F28C
2012-08-28 23:15 . 2012-08-28 23:15 -------- d-----w- c:\users\D Clark\AppData\Roaming\Digital_Paper_Products,_I
2012-08-28 23:15 . 2012-08-28 23:15 -------- d-----w- c:\users\D Clark\AppData\Local\Digital_Paper_Products,_I
2012-08-27 22:52 . 2012-08-27 23:08 -------- d-----w- c:\programdata\boost_interprocess
2012-08-27 22:52 . 2012-08-27 22:52 -------- d-----w- c:\users\D Clark\AppData\Roaming\MusicNet
2012-08-27 22:49 . 2012-08-27 22:49 -------- d-----w- c:\programdata\BearShare
2012-08-27 22:48 . 2012-09-04 21:15 -------- dc-h--w- c:\programdata\{D79D348D-B804-455D-BF34-7E3989C8E84D}
2012-08-26 14:11 . 2012-08-26 14:11 -------- d-----w- c:\users\Guest\AppData\Roaming\Template
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-18 17:10 . 2012-08-16 07:29 2344448 ----a-w- c:\windows\system32\win32k.sys
2012-07-06 19:31 . 2012-08-16 16:34 393216 ----a-w- c:\windows\system32\drivers\bthport.sys
2012-07-04 21:23 . 2012-08-16 07:29 102912 ----a-w- c:\windows\system32\browser.dll
2012-07-04 21:23 . 2012-08-16 07:29 41472 ----a-w- c:\windows\system32\browcli.dll
2012-06-27 12:14 . 2012-06-27 12:14 476936 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-06-27 12:14 . 2011-02-01 19:55 472840 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-08 16:15 . 2012-04-28 12:08 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter]
@="{D25B32FE-CB96-491A-98FF-AD59DA382D69}"
[HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}]
2010-03-28 22:22 718848 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter]
@="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}"
[HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}]
2010-03-28 22:22 718848 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter]
@="{B3C78E40-6B64-47C3-AE34-60B770881EB8}"
[HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}]
2010-03-28 22:22 718848 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter]
@="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}"
[HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}]
2010-03-28 22:22 718848 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter]
@="{855156F0-2A0F-11DE-8C30-0800200C9A66}"
[HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}]
2010-03-28 22:22 718848 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-02-29 17148552]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZumoDrive"="c:\program files\Hewlett-Packard\HP CloudDrive\ZumoLauncher.lnk" [2010-05-18 2038]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-02-26 495708]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-16 1721640]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-24 150552]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 1797008]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-24 141848]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-10-13 186904]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-04-05 8192]
"HP Quick Launch"="c:\program files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-04-09 601144]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-24 173592]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-09-07 766536]
.
c:\users\CHARLIES PLACE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\
Think Green Weather.lnk - c:\program files\Stardock\DesktopGadgets\Think Green Weather\Think Green Weather.exe [N/A]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\
Think Green Weather.lnk - c:\program files\Stardock\DesktopGadgets\Think Green Weather\Think Green Weather.exe [N/A]
.
c:\users\D Clark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Cashfiesta.lnk - c:\users\D Clark\AppData\Roaming\Cashfiesta\FiestaBar\Cashfiesta.exe [N/A]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2011-2-12 576000]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE [2012-1-4 3208032]
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-3-9 828704]
HP Media Suite.lnk - c:\program files\Hewlett-Packard\HP Media Suite\Home\ArcStart.exe [2010-4-2 91648]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Think Green Weather.lnk - c:\program files\Stardock\DesktopGadgets\Think Green Weather\Think Green Weather.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ    kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_0cefa6767c6211ec\aestsrv.exe [x]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ    SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4FB2407C-C8E4-BBC8-BB1C-FCCB2EF5914B}]
2010-04-19 03:47 702464 ----a-w- c:\program files\Hewlett-Packard\HP Media Suite\Home\HPMediaSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4FB2AA7C-C8E4-BBC8-BB1C-FAAB2EF5914B}]
2009-07-14 01:14 141824 ----a-w- c:\windows\System32\wscript.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-18 09:46]
.
2012-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-18 09:46]
.
2012-08-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1171560890-748688727-204245410-1000Core.job
- c:\users\D Clark\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-16 08:12]
.
2012-09-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1171560890-748688727-204245410-1000UA.job
- c:\users\D Clark\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-16 08:12]
.
2012-09-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1171560890-748688727-204245410-1002Core.job
- c:\users\CHARLIES PLACE\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-03 18:51]
.
2012-09-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1171560890-748688727-204245410-1002UA.job
- c:\users\CHARLIES PLACE\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-03 18:51]
.
2012-08-16 c:\windows\Tasks\HPCeeScheduleForD Clark.job
- c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-01-05 10:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2790392
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{2003967A-10CD-4968-8782-C6CB7D90829A}: NameServer = 174.114.184.185
FF - ProfilePath - c:\users\D Clark\AppData\Roaming\Mozilla\Firefox\Profiles\fsbnc3b0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1734448&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - viraltrafficfrenzy Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2517034&q=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{7846ae31-bea2-438a-8f5e-2d899361656c} - (no file)
URLSearchHooks-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)
Toolbar-10 - (no file)
WebBrowser-{7846AE31-BEA2-438A-8F5E-2D899361656C} - (no file)
WebBrowser-{88C7F2AA-F93F-432C-8F0E-B7D85967A527} - (no file)
ShellIconOverlayIdentifiers-{04cd1f3e-81d5-4904-a3ab-e0f99a7d769d} - (no file)
HKCU-Run-MyBrowserCash Automatic Updater - c:\windows\system32\MyBrowserCashUpdater.exe
AddRemove-{08DB3902-2CE0-474D-BCE3-0177766CE9F1} - c:\program files\InstallShield Installation Information\{08DB3902-2CE0-474D-BCE3-0177766CE9F1}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-09-23  16:43:08
ComboFix-quarantined-files.txt  2012-09-23 15:43
.
Pre-Run: 157,113,929,728 bytes free
Post-Run: 157,023,166,464 bytes free
.
- - End Of File - - F7E45CE5AA8D67C6FAC8B0178FC19294

[Maniac]

Good!

Please download AdwCleaner from here and save it on your Desktop.

1. Right-click on adwcleaner.exe and select Run As Administrator to launch the application.
   
2. Now click on the Search tab.
   
3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

[Baxthar]

# AdwCleaner v2.002 - Logfile created 09/23/2012 at 17:38:54
# Updated 16/09/2012 by Xplode
# Operating system : Windows 7 Starter  (32 bits)
# User : D Clark - DCLARK-PC
# Boot Mode : Safe mode with networking
# Running from : C:\Users\D Clark\Downloads\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\Program Files\Mozilla FireFox\searchplugins\Search_Results.xml
File Found : C:\Users\D Clark\AppData\Roaming\Mozilla\Firefox\Profiles\fsbnc3b0.default\extensions\toolbar@alexa.com.xpi
File Found : C:\Users\D Clark\AppData\Roaming\Mozilla\Firefox\Profiles\fsbnc3b0.default\searchplugins\Search_Results.xml
Folder Found : C:\Program Files\Common Files\spigot
Folder Found : C:\ProgramData\boost_interprocess
Folder Found : C:\ProgramData\InstallMate
Folder Found : C:\ProgramData\Premium
Folder Found : C:\Users\CHARLIES PLACE\AppData\LocalLow\mediabarim
Folder Found : C:\Users\D Clark\AppData\Local\Conduit
Folder Found : C:\Users\D Clark\AppData\Local\OpenCandy
Folder Found : C:\Users\D Clark\AppData\LocalLow\Conduit
Folder Found : C:\Users\D Clark\AppData\LocalLow\FunWebProducts
Folder Found : C:\Users\D Clark\AppData\LocalLow\PriceGong
Folder Found : C:\Users\D Clark\AppData\Roaming\Mozilla\Firefox\Profiles\fsbnc3b0.default\CT2517034
Folder Found : C:\Users\D Clark\AppData\Roaming\Mozilla\Firefox\Profiles\fsbnc3b0.default\extensions\{fee90072-01ea-4444-8fca-d460fe44f920}
Folder Found : C:\Users\D Clark\AppData\Roaming\Mozilla\Firefox\Profiles\fsbnc3b0.default\FCTB
Folder Found : C:\Users\D Clark\AppData\Roaming\Mozilla\Firefox\Profiles\fsbnc3b0.default\Smartbar
Folder Found : C:\Users\D Clark\AppData\Roaming\OpenCandy

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\Crossrider
Key Found : HKCU\Software\AppDataLow\Software\FunWebProducts
Key Found : HKCU\Software\AppDataLow\Software\PriceGong
Key Found : HKCU\Software\AppDataLow\Software\SmartBar
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKLM\SOFTWARE\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
Key Found : HKLM\Software\Conduit
Key Found : HKLM\Software\Freeze.com
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKLM\SOFTWARE\Software
Key Found : HKU\S-1-5-21-1171560890-748688727-204245410-1000\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow [*.crossrider.com]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.7930.16406

[HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.conduit.com?SearchSource=10&ctid=CT2790392

-\\ Mozilla Firefox v15.0.1 (en-US)

Profile name : default 
File : C:\Users\D Clark\AppData\Roaming\Mozilla\Firefox\Profiles\fsbnc3b0.default\prefs.js

Found : user_pref("CT2517034.ENABALE_HISTORY", "{\"dataType\":\"string\",\"data\":\"true\"}");
Found : user_pref("CT2517034.ENABLE_RETURN_WEB_SEARCH_ON_THE_PAGE", "{\"dataType\":\"string\",\"data\":\"tru[...]
Found : user_pref("CT2517034.FirstTime", "true");
Found : user_pref("CT2517034.FirstTimeFF3", "true");
Found : user_pref("CT2517034.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT251[...]
Found : user_pref("CT2517034.UserID", "UN70045496857300459");
Found : user_pref("CT2517034.addressBarTakeOverEnabledInHidden", "true");
Found : user_pref("CT2517034.browser.search.defaultthis.engineName", true);
Found : user_pref("CT2517034.embeddedsData", "[{\"appId\":\"129090939799836784\",\"apiPermissions\":{\"cross[...]
Found : user_pref("CT2517034.enableAlerts", "never");
Found : user_pref("CT2517034.firstTimeDialogOpened", "true");
Found : user_pref("CT2517034.fixPageNotFoundErrorInHidden", "true");
Found : user_pref("CT2517034.fixUrls", true);
Found : user_pref("CT2517034.hxxp___www_viraltrafficfrenzy_com.ID", "MTAwMDg=");
Found : user_pref("CT2517034.installType", "DirectDownload");
Found : user_pref("CT2517034.isCheckedStartAsHidden", true);
Found : user_pref("CT2517034.isEnableAllDialogs", "{\"dataType\":\"string\",\"data\":\"true\"}");
Found : user_pref("CT2517034.isFirstTimeToolbarLoading", "false");
Found : user_pref("CT2517034.isNewTabEnabled", false);
Found : user_pref("CT2517034.isPerformedSmartBarTransition", "true");
Found : user_pref("CT2517034.isToolbarShrinked", "{\"dataType\":\"string\",\"data\":\"false\"}");
Found : user_pref("CT2517034.isWelcomPage", "{\"dataType\":\"boolean\",\"data\":\"true\"}");
Found : user_pref("CT2517034.keyword", true);
Found : user_pref("CT2517034.migrateAppsAndComponents", true);
Found : user_pref("CT2517034.navigationAliasesJson", "{\"EB_MAIN_FRAME_URL\":\"hxxp%3A%2F%2Fwww.google.com%2[...]
Found : user_pref("CT2517034.personalApps", "{\"dataType\":\"object\",\"data\":\"[\\\"EMAIL_NOTIFIER\\\"]\"}[...]
Found : user_pref("CT2517034.search.searchAppId", "129090939799836784");
Found : user_pref("CT2517034.search.searchCount", "0");
Found : user_pref("CT2517034.searchInNewTabEnabled", "false");
Found : user_pref("CT2517034.searchInNewTabEnabledInHidden", "true");
Found : user_pref("CT2517034.searchProtector.notifyChanges", "{\"dataType\":\"string\",\"data\":\"true\"}");
Found : user_pref("CT2517034.selectToSearchBoxEnabled", "{\"dataType\":\"string\",\"data\":\"true\"}");
Found : user_pref("CT2517034.serviceLayer_service_login_isFirstLoginInvoked", "{\"dataType\":\"boolean\",\"d[...]
Found : user_pref("CT2517034.serviceLayer_service_login_loginCount", "{\"dataType\":\"number\",\"data\":\"4\[...]
Found : user_pref("CT2517034.serviceLayer_service_toolbarGrouping_activeCTID", "{\"dataType\":\"string\",\"d[...]
Found : user_pref("CT2517034.serviceLayer_service_toolbarGrouping_activeDownloadUrl", "{\"dataType\":\"strin[...]
Found : user_pref("CT2517034.serviceLayer_service_toolbarGrouping_activeToolbarName", "{\"dataType\":\"strin[...]
Found : user_pref("CT2517034.serviceLayer_service_toolbarGrouping_invoked", "{\"dataType\":\"string\",\"data[...]
Found : user_pref("CT2517034.serviceLayer_services_appTrackingFirstTime_lastUpdate", "1348316781772");
Found : user_pref("CT2517034.serviceLayer_services_appsMetadata_lastUpdate", "1348403181965");
Found : user_pref("CT2517034.serviceLayer_services_gottenAppsContextMenu_lastUpdate", "1348316782434");
Found : user_pref("CT2517034.serviceLayer_services_login_10.13.1.89_lastUpdate", "1348402286896");
Found : user_pref("CT2517034.serviceLayer_services_otherAppsContextMenu_lastUpdate", "1348316782628");
Found : user_pref("CT2517034.serviceLayer_services_searchAPI_lastUpdate", "1348403181000");
Found : user_pref("CT2517034.serviceLayer_services_serviceMap_lastUpdate", "1348403179108");
Found : user_pref("CT2517034.serviceLayer_services_toolbarContextMenu_lastUpdate", "1348316782260");
Found : user_pref("CT2517034.serviceLayer_services_toolbarSettings_lastUpdate", "1348409486079");
Found : user_pref("CT2517034.serviceLayer_services_translation_lastUpdate", "1348403179442");
Found : user_pref("CT2517034.settingsINI", true);
Found : user_pref("CT2517034.smartbar.CTID", "CT2517034");
Found : user_pref("CT2517034.smartbar.Uninstall", "0");
Found : user_pref("CT2517034.smartbar.toolbarName", "viraltrafficfrenzy ");
Found : user_pref("CT2517034.toolbarBornServerTime", "22-9-2012");
Found : user_pref("CT2517034.toolbarCurrentServerTime", "23-9-2012");
Found : user_pref("CT2517034_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\"[...]
Found : user_pref("Smartbar.ConduitSearchEngineList", "viraltrafficfrenzy Customized Web Search");
Found : user_pref("Smartbar.ConduitSearchUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2517034[...]
Found : user_pref("Smartbar.keywordURLSelectedCTID", "CT2517034");
Found : user_pref("browser.search.defaultthis.engineName", "Free Traffic Bar Customized Web Search");
Found : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1734448&Sea[...]
Found : user_pref("browser.search.selectedEngine", "viraltrafficfrenzy Customized Web Search");
Found : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2517034&q=");

Profile name : default 
File : C:\Users\CHARLIES PLACE\AppData\Roaming\Mozilla\Firefox\Profiles\ctw9y3n1.default\prefs.js

Found : user_pref("keyword.URL", "hxxp://search.imesh.com/web?src=ffb&systemid=1&q=");

-\\ Google Chrome v21.0.1180.79

File : C:\Users\D Clark\AppData\Local\Google\Chrome\User Data\Default\Preferences

Found [l.36] : search_url = "hxxp://dts.search-results.com/sr?src=crb&appid=102&systemid=2&sr=0&q={searchTerms}",

File : C:\Users\CHARLIES PLACE\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

-\\ Opera v [Unable to get version]

File : C:\Users\D Clark\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [9130 octets] - [23/09/2012 17:38:54]

########## EOF - C:\AdwCleaner[R1].txt - [9190 octets] ##########

[Maniac]

1. Please re-run AdwCleaner
   
2. Click on Delete button.
   
3. Confirm each time with OK.
   
4. Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.

Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

[Baxthar]

# AdwCleaner v2.002 - Logfile created 09/23/2012 at 17:53:52
# Updated 16/09/2012 by Xplode
# Operating system : Windows 7 Starter  (32 bits)
# User : D Clark - DCLARK-PC
# Boot Mode : Safe mode with networking
# Running from : C:\Users\D Clark\Downloads\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Program Files\Mozilla FireFox\searchplugins\Search_Results.xml
File Deleted : C:\Users\D Clark\AppData\Roaming\Mozilla\Firefox\Profiles\fsbnc3b0.default\extensions\toolbar@alexa.com.xpi
File Deleted : C:\Users\D Clark\AppData\Roaming\Mozilla\Firefox\Profiles\fsbnc3b0.default\searchplugins\Search_Results.xml
Folder Deleted : C:\Program Files\Common Files\spigot
Folder Deleted : C:\ProgramData\boost_interprocess
Folder Deleted : C:\ProgramData\InstallMate
Folder Deleted : C:\ProgramData\Premium
Folder Deleted : C:\Users\CHARLIES PLACE\AppData\LocalLow\mediabarim
Folder Deleted : C:\Users\D Clark\AppData\Local\Conduit
Folder Deleted : C:\Users\D Clark\AppData\Local\OpenCandy
Folder Deleted : C:\Users\D Clark\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\D Clark\AppData\LocalLow\FunWebProducts
Folder Deleted : C:\Users\D Clark\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\D Clark\AppData\Roaming\Mozilla\Firefox\Profiles\fsbnc3b0.default\CT2517034
Folder Deleted : C:\Users\D Clark\AppData\Roaming\Mozilla\Firefox\Profiles\fsbnc3b0.default\extensions\{fee90072-01ea-4444-8fca-d460fe44f920}
Folder Deleted : C:\Users\D Clark\AppData\Roaming\Mozilla\Firefox\Profiles\fsbnc3b0.default\FCTB
Folder Deleted : C:\Users\D Clark\AppData\Roaming\Mozilla\Firefox\Profiles\fsbnc3b0.default\Smartbar
Folder Deleted : C:\Users\D Clark\AppData\Roaming\OpenCandy

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
Key Deleted : HKCU\Software\AppDataLow\Software\FunWebProducts
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Software
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow [*.crossrider.com]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.7930.16406

Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.conduit.com?SearchSource=10&ctid=CT2790392 --> hxxp://www.google.com

-\\ Mozilla Firefox v15.0.1 (en-US)

Profile name : default 
File : C:\Users\D Clark\AppData\Roaming\Mozilla\Firefox\Profiles\fsbnc3b0.default\prefs.js

C:\Users\D Clark\AppData\Roaming\Mozilla\Firefox\Profiles\fsbnc3b0.default\user.js ... Deleted !

Deleted : user_pref("CT2517034.ENABALE_HISTORY", "{\"dataType\":\"string\",\"data\":\"true\"}");
Deleted : user_pref("CT2517034.ENABLE_RETURN_WEB_SEARCH_ON_THE_PAGE", "{\"dataType\":\"string\",\"data\":\"tru[...]
Deleted : user_pref("CT2517034.FirstTime", "true");
Deleted : user_pref("CT2517034.FirstTimeFF3", "true");
Deleted : user_pref("CT2517034.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT251[...]
Deleted : user_pref("CT2517034.UserID", "UN70045496857300459");
Deleted : user_pref("CT2517034.addressBarTakeOverEnabledInHidden", "true");
Deleted : user_pref("CT2517034.browser.search.defaultthis.engineName", true);
Deleted : user_pref("CT2517034.embeddedsData", "[{\"appId\":\"129090939799836784\",\"apiPermissions\":{\"cross[...]
Deleted : user_pref("CT2517034.enableAlerts", "never");
Deleted : user_pref("CT2517034.firstTimeDialogOpened", "true");
Deleted : user_pref("CT2517034.fixPageNotFoundErrorInHidden", "true");
Deleted : user_pref("CT2517034.fixUrls", true);
Deleted : user_pref("CT2517034.hxxp___www_viraltrafficfrenzy_com.ID", "MTAwMDg=");
Deleted : user_pref("CT2517034.installType", "DirectDownload");
Deleted : user_pref("CT2517034.isCheckedStartAsHidden", true);
Deleted : user_pref("CT2517034.isEnableAllDialogs", "{\"dataType\":\"string\",\"data\":\"true\"}");
Deleted : user_pref("CT2517034.isFirstTimeToolbarLoading", "false");
Deleted : user_pref("CT2517034.isNewTabEnabled", false);
Deleted : user_pref("CT2517034.isPerformedSmartBarTransition", "true");
Deleted : user_pref("CT2517034.isToolbarShrinked", "{\"dataType\":\"string\",\"data\":\"false\"}");
Deleted : user_pref("CT2517034.isWelcomPage", "{\"dataType\":\"boolean\",\"data\":\"true\"}");
Deleted : user_pref("CT2517034.keyword", true);
Deleted : user_pref("CT2517034.migrateAppsAndComponents", true);
Deleted : user_pref("CT2517034.navigationAliasesJson", "{\"EB_MAIN_FRAME_URL\":\"hxxp%3A%2F%2Fwww.google.com%2[...]
Deleted : user_pref("CT2517034.personalApps", "{\"dataType\":\"object\",\"data\":\"[\\\"EMAIL_NOTIFIER\\\"]\"}[...]
Deleted : user_pref("CT2517034.search.searchAppId", "129090939799836784");
Deleted : user_pref("CT2517034.search.searchCount", "0");
Deleted : user_pref("CT2517034.searchInNewTabEnabled", "false");
Deleted : user_pref("CT2517034.searchInNewTabEnabledInHidden", "true");
Deleted : user_pref("CT2517034.searchProtector.notifyChanges", "{\"dataType\":\"string\",\"data\":\"true\"}");
Deleted : user_pref("CT2517034.selectToSearchBoxEnabled", "{\"dataType\":\"string\",\"data\":\"true\"}");
Deleted : user_pref("CT2517034.serviceLayer_service_login_isFirstLoginInvoked", "{\"dataType\":\"boolean\",\"d[...]
Deleted : user_pref("CT2517034.serviceLayer_service_login_loginCount", "{\"dataType\":\"number\",\"data\":\"4\[...]
Deleted : user_pref("CT2517034.serviceLayer_service_toolbarGrouping_activeCTID", "{\"dataType\":\"string\",\"d[...]
Deleted : user_pref("CT2517034.serviceLayer_service_toolbarGrouping_activeDownloadUrl", "{\"dataType\":\"strin[...]
Deleted : user_pref("CT2517034.serviceLayer_service_toolbarGrouping_activeToolbarName", "{\"dataType\":\"strin[...]
Deleted : user_pref("CT2517034.serviceLayer_service_toolbarGrouping_invoked", "{\"dataType\":\"string\",\"data[...]
Deleted : user_pref("CT2517034.serviceLayer_services_appTrackingFirstTime_lastUpdate", "1348316781772");
Deleted : user_pref("CT2517034.serviceLayer_services_appsMetadata_lastUpdate", "1348403181965");
Deleted : user_pref("CT2517034.serviceLayer_services_gottenAppsContextMenu_lastUpdate", "1348316782434");
Deleted : user_pref("CT2517034.serviceLayer_services_login_10.13.1.89_lastUpdate", "1348402286896");
Deleted : user_pref("CT2517034.serviceLayer_services_otherAppsContextMenu_lastUpdate", "1348316782628");
Deleted : user_pref("CT2517034.serviceLayer_services_searchAPI_lastUpdate", "1348403181000");
Deleted : user_pref("CT2517034.serviceLayer_services_serviceMap_lastUpdate", "1348403179108");
Deleted : user_pref("CT2517034.serviceLayer_services_toolbarContextMenu_lastUpdate", "1348316782260");
Deleted : user_pref("CT2517034.serviceLayer_services_toolbarSettings_lastUpdate", "1348409486079");
Deleted : user_pref("CT2517034.serviceLayer_services_translation_lastUpdate", "1348403179442");
Deleted : user_pref("CT2517034.settingsINI", true);
Deleted : user_pref("CT2517034.smartbar.CTID", "CT2517034");
Deleted : user_pref("CT2517034.smartbar.Uninstall", "0");
Deleted : user_pref("CT2517034.smartbar.toolbarName", "viraltrafficfrenzy ");
Deleted : user_pref("CT2517034.toolbarBornServerTime", "22-9-2012");
Deleted : user_pref("CT2517034.toolbarCurrentServerTime", "23-9-2012");
Deleted : user_pref("CT2517034_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\"[...]
Deleted : user_pref("Smartbar.ConduitSearchEngineList", "viraltrafficfrenzy Customized Web Search");
Deleted : user_pref("Smartbar.ConduitSearchUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2517034[...]
Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT2517034");
Deleted : user_pref("browser.search.defaultthis.engineName", "Free Traffic Bar Customized Web Search");
Deleted : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1734448&Sea[...]
Deleted : user_pref("browser.search.selectedEngine", "viraltrafficfrenzy Customized Web Search");
Deleted : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2517034&q=");

Profile name : default 
File : C:\Users\CHARLIES PLACE\AppData\Roaming\Mozilla\Firefox\Profiles\ctw9y3n1.default\prefs.js

Deleted : user_pref("keyword.URL", "hxxp://search.imesh.com/web?src=ffb&systemid=1&q=");

-\\ Google Chrome v21.0.1180.79

File : C:\Users\D Clark\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted [l.36] : search_url = "hxxp://dts.search-results.com/sr?src=crb&appid=102&systemid=2&sr=0&q={searchTerms}",

File : C:\Users\CHARLIES PLACE\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

-\\ Opera v [Unable to get version]

File : C:\Users\D Clark\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [9259 octets] - [23/09/2012 17:38:54]
AdwCleaner[S2].txt - [9806 octets] - [23/09/2012 17:53:52]

########## EOF - C:\AdwCleaner[S2].txt - [9866 octets] ##########

[Maniac]

How are things now?

[Baxthar]

How are things now?

Things are a bit better. Before when I started in normal windows mode none of the icons would load and the egg timer would just sit there and I couldn't open anything.

Now all the icons loaded up and the AdwCleaner[s2].txt loaded up but then it stopped loading and got stuck again.

[Maniac]

Good!

• Download OTC to your desktop and run it
  
• Click Yes to beginning the Cleanup process and remove these components, including this application.
  
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
  

Next, manually delete AdwCleaner.

Some malware prevention tips:

users.telenet.be/bluepatchy/miekiemoes/prevention.html

Safe surfing!

[Baxthar]

Good!

• Download OTC to your desktop and run it
  
• Click Yes to beginning the Cleanup process and remove these components, including this application.
  
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
  

Next, manually delete AdwCleaner.

Some malware prevention tips:

users.telenet.be/bluepatchy/miekiemoes/prevention.html

Safe surfing!

It's still really slow and clunky in normal windows mode. Whenever I try to do anything I get a white screen but the start bar is still visible, after a minute or two the screen comes back.

[Maniac]

Follow the instructions for Malwarebytes' Anti-Malware here:

http://forums.malwarebytes.org/index.php?showtopic=116278&view=findpost&p=600285

Then:

• Launch Malwarebytes' Anti-Malware
  
• Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  
• Go to Scanner tab and select Perform Quick Scan, then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

[Baxthar]

Follow the instructions for Malwarebytes' Anti-Malware here:

http://forums.malwar...ndpost&p=600285

Then:

• Launch Malwarebytes' Anti-Malware
  
• Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  
• Go to Scanner tab and select Perform Quick Scan, then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

I don't think it's infected anymore but no program will open at all, not even the task manager.

[Baxthar]

I get this error message when I pressed CTRL+ATL+DELETE:

"The logon process was unable to display security and logon options when CTRL+ATL+DELETE was pressed. If the operating system does not respond, press ESC or restart the computer by using the power switch."

[Maniac]

Try the solution in the answer:

http://answers.microsoft.com/en-us/windows/forum/windows_7-performance/black-screen-after-you-press-ctrlaltdelete-for/1f0de23b-ea0e-4af7-b05d-9b2e6acdbcc5