can't get rid of w32.downloader.gen

Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Hi efree777 and welcome to MalwareTips! :)

I'm Fiery and I would gladly assist you in removing the malware on your computer.

PLEASE NOTE: The first 3 posts of ALL new members require approval by mods/admins. Please be patient if you don't see your post immediately after submitting it.

Before we start:
  • Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
  • Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
  • Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
  • Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
  • The absence of symptoms does not mean your PC is fully disinfected.
  • If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
  • Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>
Download Farbar Recovery Scan Tool from the below link:
<ul><li>For 64 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST64.exe" rel="nofollow external"><>Farbar Recovery Scan Tool x64</></a> and save it to a USB/flash drive.</li>

<li>Plug the flashdrive into the infected PC.</li>

<li>Enter <>System Recovery Options</>.</li>

<>To enter System Recovery Options from the Advanced Boot Options:</>
<ul>
<li>Restart the computer.</li>
<li>As soon as the BIOS is loaded begin tapping the<> F8</> key until Advanced Boot Options appears.</li>
<li>Use the arrow keys to select the <>Repair your computer</> menu item.</li>
<li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
<li>Select the operating system you want to repair, and then click <>Next</>.</li>
<li>Select your user account an click <>Next</>.</li>
</ul>

<li>On the System Recovery Options menu you will get the following options:</span>
<pre>Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt</pre>
<ol>
<li>Select <>Command Prompt</></li>
<li>In the command window type in <>notepad</> and press <>Enter</>.</li>
<li>The notepad opens. Under File menu select <>Open</>.</li>
<li>Select "Computer" and find your flash drive letter and close the notepad.</li>
<li>In the command window type <><span style="color: #ff0000;">e</span>:\frst64</> and press <>Enter</>
<>Note:</><span style="color: #ff0000;"> Replace letter <>e</> with the drive letter of your flash drive.</span></li>
<li>The tool will start to run.</li>
<li>When the tool opens click <>Yes</> to disclaimer.</li>
<li>Press <>Scan</> button.</li>
<li><>FRST</> will let you know when the scan is complete and has written the <>FRST.txt</> to file, close the message.
<li>Type exit</li>
<li>Please copy and paste FRST.txt in your next reply</li></li>
</ol>
</ul>
 
Last edited by a moderator:
E

efree777

New Member
Thread author
May 14, 2013
8
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 14-05-2013
Ran by SYSTEM on 14-05-2013 20:28:37
Running from E:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1813288 2009-08-17] (Synaptics Incorporated)
HKLM-x32\...\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe [105016 2009-06-19] (ASUS)
HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe" [494064 2009-06-22] ()
HKLM-x32\...\Run: [CPMonitor] "C:\Program Files (x86)\Roxio 2010\5.0\CPMonitor.exe" [84464 2009-07-21] ()
HKLM-x32\...\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe [6937216 2009-10-09] (ASUS)
HKLM-x32\...\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe [170624 2009-08-19] (ASUS)
HKLM-x32\...\Run: [ADSMTray] C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe [272952 2009-06-24] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-09-27] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot [295512 2013-04-17] (RealNetworks, Inc.)
HKLM-x32\...\Run: [SearchProtectAll] C:\Program Files (x86)\SearchProtect\bin\cltmng.exe [2852640 2013-05-07] (Conduit)
HKU\Marie\...\Run: [ISUSPM] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler [206112 2008-10-24] (Macrovision Corporation)
HKU\Marie\...\Run: [SansaDispatch] C:\Users\Marie\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe [79872 2011-04-09] (SanDisk Corporation)
HKU\Marie\...\Run: [Google Update] "C:\Users\Marie\AppData\Local\Google\Update\GoogleUpdate.exe" /c [135664 2010-01-13] (Google Inc.)
HKU\Marie\...\Run: [Nero MediaHome 4] "C:\Program Files (x86)\Nero\Nero MediaHome 4\NeroMediaHome.exe" /AUTORUN [4695336 2009-03-05] (Nero AG)
HKU\Marie\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2013-04-17] (Google Inc.)
HKU\Marie\...\Run: [SearchProtect] C:\Users\Marie\AppData\Roaming\SearchProtect\bin\cltmng.exe [2852640 2013-05-07] (Conduit)

==================== Services (Whitelisted) =================

S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269; C:\Program Files (x86)\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [457200 2009-06-02] ()
S2 ATKGFNEXSrv; C:\Program Files\ATKGFNEX\GFNEXSrv.exe [94208 2007-08-07] ()
S2 CltMngSvc; C:\Program Files (x86)\SearchProtect\bin\CltMngSvc.exe [93984 2013-04-11] (Conduit)
S2 Freemake Improver; C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe [101376 2013-01-10] (Freemake)
S2 FreemakeVideoCapture; C:\Program Files (x86)\Freemake\CaptureLib\CaptureLibService.exe [9216 2013-01-10] (Ellora Assets Corp.)
S2 MotoHelper; C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe [214896 2011-12-06] ()
S2 NeroMediaHomeService.4; C:\Program Files (x86)\Nero\Nero MediaHome 4\NMMediaServerService.exe [255272 2009-03-05] (Nero AG)
S2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-03-05] ()
S2 spmgr; C:\Program Files (x86)\ASUS\NB Probe\SPM\spmgr.exe [125496 2007-08-03] ()

==================== Drivers (Whitelisted) ====================

S2 ASMMAP64; C:\Program Files\ATKGFNEX\ASMMAP64.sys [14904 2007-07-24] ()
S2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [314016 2010-01-13] ()
S2 ghaio; C:\Program Files (x86)\ASUS\NB Probe\SPM\ghaio.sys [17464 2007-08-03] ()
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [32000 2013-05-13] ()
S2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [43680 2010-01-13] ()
S3 MTsensor; C:\Windows\System32\DRIVERS\ATK64AMD.sys [13680 2007-08-08] ()
S3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [31744 2009-01-09] (Research in Motion Ltd)
S3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1806400 2009-12-23] ()
S0 gfibto; system32\drivers\gfibto.sys [x]
S3 ipswuio; System32\DRIVERS\ipswuio.sys [x]
S0 Lbd; system32\DRIVERS\Lbd.sys [x]
S2 npf; system32\drivers\npf.sys [x]
S3 RimUsb; System32\Drivers\RimUsb_AMD64.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-05-14 20:28 - 2013-05-14 20:28 - 00000000 ____D C:\FRST
2013-05-14 15:05 - 2013-05-14 15:05 - 00872232 ____A (SetupManager) C:\Users\Marie\Downloads\Setup.exe
2013-05-14 09:10 - 2013-05-14 09:10 - 00000278 ____A C:\Windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
2013-05-14 09:10 - 2013-05-14 09:10 - 00000254 ____A C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
2013-05-14 06:54 - 2013-05-14 06:56 - 04745728 ____A (AVAST Software) C:\Users\Marie\Downloads\aswMBR.exe
2013-05-14 06:48 - 2013-05-14 06:48 - 00081016 ____A C:\Users\Marie\Downloads\Extras.Txt
2013-05-14 06:41 - 2013-05-14 06:41 - 00107336 ____A C:\Users\Marie\Downloads\OTL.Txt
2013-05-14 06:17 - 2013-05-14 06:17 - 00602112 ____A (OldTimer Tools) C:\Users\Marie\Downloads\OTL.exe
2013-05-13 19:02 - 2013-05-13 19:02 - 00032000 ____A C:\Windows\System32\Drivers\hitmanpro37.sys
2013-05-13 19:00 - 2013-05-13 19:00 - 00005158 ____A C:\Windows\System32\.crusader
2013-05-13 18:50 - 2013-05-13 19:00 - 00000000 ____D C:\ProgramData\HitmanPro
2013-05-13 18:02 - 2013-05-13 18:02 - 00000000 ____D C:\Users\Marie\AppData\Roaming\Malwarebytes
2013-05-13 18:02 - 2013-05-13 18:02 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-05-13 18:02 - 2013-05-13 18:02 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-05-13 18:02 - 2013-04-04 11:50 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-05-13 13:40 - 2013-05-13 13:40 - 00000000 ____D C:\SearchProtect
2013-05-10 06:51 - 2013-05-10 07:14 - 4188979200 ____A C:\Users\Marie\Desktop\BURN_Movie1_Full.mpg
2013-05-09 07:38 - 2013-05-14 15:06 - 00000000 ____D C:\Users\Marie\Desktop\security
2013-05-09 07:36 - 2013-05-09 07:36 - 00000000 ____D C:\Program Files (x86)\Trend Micro
2013-05-09 07:32 - 2013-05-09 07:33 - 01402880 ____A C:\Users\Marie\Downloads\HiJackThis.msi
2013-05-09 03:09 - 2013-05-14 09:19 - 00000000 ____D C:\Users\Marie\AppData\Roaming\SearchProtect
2013-05-08 12:56 - 2013-05-14 14:56 - 00435388 ____A C:\Windows\PFRO.log
2013-05-08 11:29 - 2013-05-10 07:14 - 00046080 __ASH C:\Users\Marie\Desktop\Thumbs.db
2013-05-08 11:28 - 2013-05-14 15:24 - 00000728 ____A C:\Windows\setupact.log
2013-05-08 11:28 - 2013-05-08 11:28 - 00000000 ____A C:\Windows\setuperr.log
2013-05-07 17:07 - 2013-05-08 04:21 - 00000000 ____D C:\Users\Marie\AppData\Roaming\LavasoftStatistics
2013-05-07 17:06 - 2013-05-07 17:06 - 00000000 ____D C:\ProgramData\Downloaded Installations
2013-05-07 17:00 - 2013-05-07 17:21 - 00014456 ____A (GFI Software) C:\Windows\System32\Drivers\gfibto.sys
2013-05-07 12:00 - 2013-05-07 17:19 - 00000408 ____A C:\Windows\Tasks\Ad-Aware Update (Weekly).job
2013-05-03 19:59 - 2013-05-03 20:15 - 75504074 ____A C:\Users\Marie\Desktop\Diamonds Are a Girl's Best Friend Dance at 20th Century- The Musical.mp4
2013-05-03 19:52 - 2013-05-03 19:52 - 00587728 ____A C:\Users\Marie\Downloads\youtubedownloadplayer-setup.exe
2013-05-03 19:51 - 2013-05-03 19:51 - 00903072 ____A (Oracle Corporation) C:\Users\Marie\Downloads\jxpiinstall.exe
2013-05-03 19:47 - 2013-05-03 19:47 - 01270272 ____A (Bandoo Media Inc) C:\Users\Marie\Downloads\iLividSetup(2).exe
2013-05-03 19:47 - 2013-05-03 19:47 - 01270272 ____A (Bandoo Media Inc) C:\Users\Marie\Downloads\iLividSetup(1).exe
2013-05-03 19:47 - 2013-05-03 19:47 - 01270048 ____A (Bandoo Media Inc) C:\Users\Marie\Downloads\iLividSetup(3).exe
2013-05-03 19:16 - 2013-05-03 20:15 - 00000000 ____D C:\Users\Marie\Desktop\BRITTANY
2013-05-01 15:09 - 2013-05-01 15:10 - 00000000 ____D C:\Users\Marie\Desktop\amazon
2013-05-01 14:23 - 2013-02-05 22:36 - 195454074 ____A C:\Users\Marie\Desktop\SAM_0422.MP4
2013-04-28 13:43 - 2013-04-28 13:43 - 02400200 ____A C:\Users\Marie\Downloads\AmazonMP3DownloaderInstall._V371120661_.exe
2013-04-28 13:39 - 2013-04-28 13:39 - 00000000 ____D C:\Users\Marie\Documents\Amazon Music Importer
2013-04-24 06:28 - 2013-04-12 06:45 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-04-18 11:12 - 2013-04-18 11:14 - 13459032 ____A C:\Users\Marie\Desktop\Gentlemen Prefer Blondes (1953) -- (Movie Clip) Diamonds Are A Girl's Best Friend (1).mp4
2013-04-18 05:23 - 2013-02-21 22:27 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-04-18 05:23 - 2013-02-21 22:21 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-04-18 05:23 - 2013-02-21 22:19 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-04-18 05:23 - 2013-02-21 22:18 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-04-18 05:23 - 2013-02-21 22:15 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-04-18 05:23 - 2013-02-21 22:14 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-04-18 05:23 - 2013-02-21 22:13 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-04-18 05:23 - 2013-02-21 22:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-04-18 05:23 - 2013-02-21 22:09 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-04-18 05:23 - 2013-02-21 19:38 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-04-18 05:23 - 2013-02-21 19:38 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-04-18 05:23 - 2013-02-21 19:37 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-04-18 05:23 - 2013-02-21 19:36 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-04-18 05:23 - 2013-02-21 19:34 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-04-18 05:23 - 2013-02-21 19:34 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-04-18 05:23 - 2013-02-21 19:33 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-04-18 05:23 - 2013-02-21 19:31 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-04-18 05:23 - 2013-02-21 19:31 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-04-18 05:23 - 2013-02-21 19:28 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-04-18 05:22 - 2013-02-21 22:57 - 17817088 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-04-18 05:22 - 2013-02-21 22:29 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-04-18 05:22 - 2013-02-21 22:20 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-04-18 05:22 - 2013-02-21 22:17 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-04-18 05:22 - 2013-02-21 22:15 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-04-18 05:22 - 2013-02-21 22:15 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-04-18 05:22 - 2013-02-21 22:13 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-04-18 05:22 - 2013-02-21 20:05 - 12324352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-04-18 05:22 - 2013-02-21 19:47 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-04-18 05:22 - 2013-02-21 19:46 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-04-18 05:22 - 2013-02-21 19:35 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-04-18 05:22 - 2013-02-21 19:34 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-04-18 05:22 - 2013-02-21 19:32 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-04-17 12:38 - 2013-04-17 12:39 - 15678748 ____A C:\Users\Marie\Desktop\Carol Channing sings on 1953 TV (Two songs from _Gentlemen Prefer Blondes_).mp4
2013-04-17 12:23 - 2013-04-17 12:25 - 00000000 ____D C:\Users\Marie\AppData\Local\Conduit
2013-04-17 12:23 - 2013-04-17 12:25 - 00000000 ____D C:\Program Files (x86)\Vgrabber_v1
2013-04-17 12:23 - 2013-04-17 12:23 - 00000000 ____D C:\Program Files (x86)\SearchProtect
2013-04-17 12:23 - 2013-04-17 12:23 - 00000000 ____D C:\Program Files (x86)\Conduit
2013-04-17 12:20 - 2013-04-17 12:20 - 01469968 ____A ( ) C:\Users\Marie\Downloads\video_downloader.exe
2013-04-17 09:31 - 2013-04-17 09:31 - 00000000 ____D C:\Users\Marie\AppData\Roaming\RealNetworks
2013-04-17 09:30 - 2013-04-17 09:30 - 00000000 ____D C:\ProgramData\RealNetworks
2013-04-17 09:30 - 2013-04-17 09:30 - 00000000 ____D C:\Program Files (x86)\RealNetworks
2013-04-17 09:29 - 2013-04-17 09:29 - 00201872 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll
2013-04-17 09:28 - 2013-04-17 09:28 - 00499712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll
2013-04-17 09:28 - 2013-04-17 09:28 - 00348160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll
2013-04-17 09:28 - 2013-04-17 09:28 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll
2013-04-17 09:28 - 2013-04-17 09:28 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll
2013-04-17 09:28 - 2013-04-17 09:28 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll
2013-04-17 03:41 - 2013-02-28 19:36 - 03153408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-04-17 03:41 - 2013-02-14 22:08 - 00044032 ____A (Microsoft Corporation) C:\Windows\System32\tsgqec.dll
2013-04-17 03:41 - 2013-02-14 22:06 - 03717632 ____A (Microsoft Corporation) C:\Windows\System32\mstscax.dll
2013-04-17 03:41 - 2013-02-14 22:02 - 00158720 ____A (Microsoft Corporation) C:\Windows\System32\aaclient.dll
2013-04-17 03:41 - 2013-02-14 20:37 - 03217408 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2013-04-17 03:41 - 2013-02-14 20:34 - 00131584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\aaclient.dll
2013-04-17 03:41 - 2013-02-14 19:25 - 00036864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tsgqec.dll
2013-04-17 03:39 - 2013-03-18 22:04 - 05550424 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-04-17 03:39 - 2013-03-18 21:46 - 00043520 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2013-04-17 03:39 - 2013-03-18 21:04 - 03968856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-04-17 03:39 - 2013-03-18 21:04 - 03913560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-04-17 03:39 - 2013-03-18 20:47 - 00006656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2013-04-17 03:39 - 2013-03-18 19:06 - 00112640 ____A (Microsoft Corporation) C:\Windows\System32\smss.exe
2013-04-17 03:39 - 2013-02-11 20:12 - 00019968 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usb8023.sys
2013-04-17 03:39 - 2013-01-23 22:01 - 00223752 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fvevol.sys

==================== One Month Modified Files and Folders =======

2013-05-14 20:28 - 2013-05-14 20:28 - 00000000 ____D C:\FRST
2013-05-14 16:39 - 2009-12-23 20:40 - 01068590 ____A C:\Windows\WindowsUpdate.log
2013-05-14 16:26 - 2010-10-19 19:50 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-14 16:13 - 2012-04-25 15:22 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-05-14 16:13 - 2012-04-25 15:22 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-14 16:13 - 2011-11-16 19:26 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-05-14 15:52 - 2010-01-13 17:18 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-767052454-1278637375-1300389408-1001UA.job
2013-05-14 15:32 - 2009-07-13 20:45 - 00013760 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-14 15:32 - 2009-07-13 20:45 - 00013760 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-14 15:25 - 2010-10-19 19:50 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-05-14 15:24 - 2013-05-08 11:28 - 00000728 ____A C:\Windows\setupact.log
2013-05-14 15:24 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-14 15:06 - 2013-05-09 07:38 - 00000000 ____D C:\Users\Marie\Desktop\security
2013-05-14 15:05 - 2013-05-14 15:05 - 00872232 ____A (SetupManager) C:\Users\Marie\Downloads\Setup.exe
2013-05-14 14:56 - 2013-05-08 12:56 - 00435388 ____A C:\Windows\PFRO.log
2013-05-14 14:56 - 2009-12-23 22:50 - 00000000 ____D C:\ProgramData\Norton
2013-05-14 14:53 - 2010-02-22 17:47 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-05-14 14:53 - 2010-02-22 17:47 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy
2013-05-14 09:19 - 2013-05-09 03:09 - 00000000 ____D C:\Users\Marie\AppData\Roaming\SearchProtect
2013-05-14 09:10 - 2013-05-14 09:10 - 00000278 ____A C:\Windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
2013-05-14 09:10 - 2013-05-14 09:10 - 00000254 ____A C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
2013-05-14 07:06 - 2009-07-13 21:13 - 00732638 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-14 06:56 - 2013-05-14 06:54 - 04745728 ____A (AVAST Software) C:\Users\Marie\Downloads\aswMBR.exe
2013-05-14 06:48 - 2013-05-14 06:48 - 00081016 ____A C:\Users\Marie\Downloads\Extras.Txt
2013-05-14 06:41 - 2013-05-14 06:41 - 00107336 ____A C:\Users\Marie\Downloads\OTL.Txt
2013-05-14 06:17 - 2013-05-14 06:17 - 00602112 ____A (OldTimer Tools) C:\Users\Marie\Downloads\OTL.exe
2013-05-13 19:03 - 2010-01-05 10:53 - 00045056 ____A C:\Windows\System32\acovcnt.exe
2013-05-13 19:02 - 2013-05-13 19:02 - 00032000 ____A C:\Windows\System32\Drivers\hitmanpro37.sys
2013-05-13 19:00 - 2013-05-13 19:00 - 00005158 ____A C:\Windows\System32\.crusader
2013-05-13 19:00 - 2013-05-13 18:50 - 00000000 ____D C:\ProgramData\HitmanPro
2013-05-13 18:02 - 2013-05-13 18:02 - 00000000 ____D C:\Users\Marie\AppData\Roaming\Malwarebytes
2013-05-13 18:02 - 2013-05-13 18:02 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-05-13 18:02 - 2013-05-13 18:02 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-05-13 13:52 - 2010-01-13 17:18 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-767052454-1278637375-1300389408-1001Core.job
2013-05-13 13:40 - 2013-05-13 13:40 - 00000000 ____D C:\SearchProtect
2013-05-10 08:34 - 2009-12-23 23:35 - 00000000 ____D C:\ProgramData\Roxio
2013-05-10 08:25 - 2009-12-23 23:35 - 00000000 ____D C:\ProgramData\Sonic
2013-05-10 07:14 - 2013-05-10 06:51 - 4188979200 ____A C:\Users\Marie\Desktop\BURN_Movie1_Full.mpg
2013-05-10 07:14 - 2013-05-08 11:29 - 00046080 __ASH C:\Users\Marie\Desktop\Thumbs.db
2013-05-10 06:50 - 2010-05-31 08:25 - 81776816 ____A C:\Users\Marie\AppData\Local\rx_image32.Cache
2013-05-09 07:36 - 2013-05-09 07:36 - 00000000 ____D C:\Program Files (x86)\Trend Micro
2013-05-09 07:33 - 2013-05-09 07:32 - 01402880 ____A C:\Users\Marie\Downloads\HiJackThis.msi
2013-05-08 19:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-05-08 12:52 - 2010-02-08 17:34 - 00004277 ____A C:\Windows\WININIT.INI
2013-05-08 11:28 - 2013-05-08 11:28 - 00000000 ____A C:\Windows\setuperr.log
2013-05-08 08:50 - 2011-06-12 05:55 - 00000000 ____D C:\Windows\Minidump
2013-05-08 08:50 - 2010-07-04 11:35 - 00000000 ____D C:\Program Files (x86)\Steam
2013-05-08 08:50 - 2010-03-22 10:31 - 00000000 ____D C:\Users\Marie\AppData\Local\CrashDumps
2013-05-08 08:42 - 2010-09-27 10:07 - 00000000 ____D C:\Program Files (x86)\CCleaner
2013-05-08 04:21 - 2013-05-07 17:07 - 00000000 ____D C:\Users\Marie\AppData\Roaming\LavasoftStatistics
2013-05-07 17:52 - 2009-12-26 07:31 - 00000000 ____D C:\Users\Marie\AppData\Local\Google
2013-05-07 17:21 - 2013-05-07 17:00 - 00014456 ____A (GFI Software) C:\Windows\System32\Drivers\gfibto.sys
2013-05-07 17:19 - 2013-05-07 12:00 - 00000408 ____A C:\Windows\Tasks\Ad-Aware Update (Weekly).job
2013-05-07 17:08 - 2010-01-05 08:13 - 00219771 ____A C:\aaw7boot.log
2013-05-07 17:06 - 2013-05-07 17:06 - 00000000 ____D C:\ProgramData\Downloaded Installations
2013-05-03 21:10 - 2009-12-23 18:48 - 00000000 ____D C:\users\Marie
2013-05-03 20:26 - 2013-03-17 20:03 - 00000000 ____D C:\Users\Marie\Desktop\EDITED
2013-05-03 20:15 - 2013-05-03 19:59 - 75504074 ____A C:\Users\Marie\Desktop\Diamonds Are a Girl's Best Friend Dance at 20th Century- The Musical.mp4
2013-05-03 20:15 - 2013-05-03 19:16 - 00000000 ____D C:\Users\Marie\Desktop\BRITTANY
2013-05-03 19:52 - 2013-05-03 19:52 - 00587728 ____A C:\Users\Marie\Downloads\youtubedownloadplayer-setup.exe
2013-05-03 19:51 - 2013-05-03 19:51 - 00903072 ____A (Oracle Corporation) C:\Users\Marie\Downloads\jxpiinstall.exe
2013-05-03 19:47 - 2013-05-03 19:47 - 01270272 ____A (Bandoo Media Inc) C:\Users\Marie\Downloads\iLividSetup(2).exe
2013-05-03 19:47 - 2013-05-03 19:47 - 01270272 ____A (Bandoo Media Inc) C:\Users\Marie\Downloads\iLividSetup(1).exe
2013-05-03 19:47 - 2013-05-03 19:47 - 01270048 ____A (Bandoo Media Inc) C:\Users\Marie\Downloads\iLividSetup(3).exe
2013-05-03 19:30 - 2009-12-24 11:37 - 00000000 ____D C:\Users\Marie\AppData\Roaming\Roxio
2013-05-01 17:40 - 2010-05-31 08:26 - 04216000 ____A C:\Users\Marie\AppData\Local\rx_audio.Cache
2013-05-01 15:10 - 2013-05-01 15:09 - 00000000 ____D C:\Users\Marie\Desktop\amazon
2013-05-01 15:01 - 2010-05-31 08:26 - 00000000 ____D C:\Users\Marie\Documents\Roxio
2013-05-01 05:05 - 2010-01-05 09:18 - 00000000 ____D C:\Users\Marie\Desktop\emfreeman
2013-04-28 13:43 - 2013-04-28 13:43 - 02400200 ____A C:\Users\Marie\Downloads\AmazonMP3DownloaderInstall._V371120661_.exe
2013-04-28 13:39 - 2013-04-28 13:39 - 00000000 ____D C:\Users\Marie\Documents\Amazon Music Importer
2013-04-27 06:45 - 2011-04-24 05:40 - 00000064 ____A C:\Windows\SysWOW64\rp_stats.dat
2013-04-27 06:45 - 2011-04-24 05:40 - 00000044 ____A C:\Windows\SysWOW64\rp_rules.dat
2013-04-18 14:24 - 2009-07-13 20:45 - 00457280 ____A C:\Windows\System32\FNTCACHE.DAT
2013-04-18 11:14 - 2013-04-18 11:12 - 13459032 ____A C:\Users\Marie\Desktop\Gentlemen Prefer Blondes (1953) -- (Movie Clip) Diamonds Are A Girl's Best Friend (1).mp4
2013-04-18 09:52 - 2012-01-13 08:26 - 00000000 ____D C:\ProgramData\Real
2013-04-18 09:51 - 2012-01-13 08:26 - 00000000 ____D C:\Users\Marie\AppData\Roaming\Real
2013-04-18 05:33 - 2009-12-23 21:10 - 72702784 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-04-18 05:28 - 2009-12-23 23:06 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-04-17 12:39 - 2013-04-17 12:38 - 15678748 ____A C:\Users\Marie\Desktop\Carol Channing sings on 1953 TV (Two songs from _Gentlemen Prefer Blondes_).mp4
2013-04-17 12:25 - 2013-04-17 12:23 - 00000000 ____D C:\Users\Marie\AppData\Local\Conduit
2013-04-17 12:25 - 2013-04-17 12:23 - 00000000 ____D C:\Program Files (x86)\Vgrabber_v1
2013-04-17 12:23 - 2013-04-17 12:23 - 00000000 ____D C:\Program Files (x86)\SearchProtect
2013-04-17 12:23 - 2013-04-17 12:23 - 00000000 ____D C:\Program Files (x86)\Conduit
2013-04-17 12:20 - 2013-04-17 12:20 - 01469968 ____A ( ) C:\Users\Marie\Downloads\video_downloader.exe
2013-04-17 09:31 - 2013-04-17 09:31 - 00000000 ____D C:\Users\Marie\AppData\Roaming\RealNetworks
2013-04-17 09:30 - 2013-04-17 09:30 - 00000000 ____D C:\ProgramData\RealNetworks
2013-04-17 09:30 - 2013-04-17 09:30 - 00000000 ____D C:\Program Files (x86)\RealNetworks
2013-04-17 09:29 - 2013-04-17 09:29 - 00201872 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll
2013-04-17 09:29 - 2012-01-13 08:26 - 00000000 ____D C:\Program Files (x86)\Real
2013-04-17 09:28 - 2013-04-17 09:28 - 00499712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll
2013-04-17 09:28 - 2013-04-17 09:28 - 00348160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll
2013-04-17 09:28 - 2013-04-17 09:28 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll
2013-04-17 09:28 - 2013-04-17 09:28 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll
2013-04-17 09:28 - 2013-04-17 09:28 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll
2013-04-17 09:27 - 2009-12-26 07:15 - 00000000 ____D C:\ProgramData\Google
2013-04-17 09:26 - 2009-12-26 07:15 - 00000000 ____D C:\Program Files\Google
2013-04-17 09:26 - 2009-12-26 07:15 - 00000000 ____D C:\Program Files (x86)\Google

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-05-09 07:36:32

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 4095.11 MB
Available physical RAM: 3484.75 MB
Total Pagefile: 4093.26 MB
Available Pagefile: 3478.43 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (VistaOS) (Fixed) (Total:286.37 GB) (Free:48.01 GB) NTFS (Disk=0 Partition=2) ==>[Drive with boot components (obtained from BCD)]
Drive e: (TravelDrive) (Removable) (Total:0.96 GB) (Free:0.96 GB) FAT (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 97646C29)
Partition 1: (Not Active) - (Size=12 GB) - (Type=1C)
Partition 2: (Active) - (Size=286 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 984 MB) (Disk ID: BDF74F89)
Partition 1: (Active) - (Size=984 MB) - (Type=0E)


Last Boot: 2013-05-08 19:40

==================== End Of Log ======================
 
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Hi,

Open notepad and copy & paste the following:

HKU\Marie\...\Run: [SearchProtect] C:\Users\Marie\AppData\Roaming\SearchProtect\bin\cltmng.exe [2852640 2013-05-07] (Conduit)
C:\Users\Marie\AppData\Roaming\SearchProtect
HKLM-x32\...\Run: [SearchProtectAll] C:\Program Files (x86)\SearchProtect\bin\cltmng.exe [2852640 2013-05-07] (Conduit)
C:\Program Files (x86)\SearchProtect
S2 CltMngSvc; C:\Program Files (x86)\SearchProtect\bin\CltMngSvc.exe [93984 2013-04-11] (Conduit)
2013-04-17 12:23 - 2013-04-17 12:25 - 00000000 ____D C:\Program Files (x86)\Vgrabber_v1
2013-04-17 12:23 - 2013-04-17 12:23 - 00000000 ____D C:\Program Files (x86)\Conduit
2013-04-17 12:25 - 2013-04-17 12:23 - 00000000 ____D C:\Users\Marie\AppData\Local\Conduit
Click to expand...

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
  • Click delete
  • Please post the content of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt

Download Malwarebytes Anti-Rootkit from here to your Desktop
  • Unzip the contents to a folder on your Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
  • After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
  • When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)
 
E

efree777

New Member
Thread author
May 14, 2013
8
Malwarebytes Anti-Rootkit gave the message that no malware was found....Does this mean that the laptop is clean?


# AdwCleaner v2.300 - Logfile created 05/15/2013 at 09:27:37
# Updated 28/04/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Marie - MARIE-PC
# Boot Mode : Normal
# Running from : C:\Users\Marie\Desktop\security\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Program Files (x86)\Mozilla Firefox\searchplugins\adawaretb.xml
File Deleted : C:\Users\Marie\AppData\Roaming\Mozilla\Firefox\Profiles\d4pi8j0p.default\searchplugins\web-search.xml
Folder Deleted : C:\Program Files (x86)\Ilivid
Folder Deleted : C:\ProgramData\{B49A644A-1076-4A3D-B124-DAA7862F2318}
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ilivid
Folder Deleted : C:\ProgramData\WeCareReminder
Folder Deleted : C:\Users\Marie\AppData\Local\Ilivid Player
Folder Deleted : C:\Users\Marie\AppData\Local\PackageAware
Folder Deleted : C:\Users\Marie\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Marie\AppData\LocalLow\FunWebProducts
Folder Deleted : C:\Users\Marie\AppData\LocalLow\MyWebSearch
Folder Deleted : C:\Users\Marie\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\Marie\AppData\LocalLow\Toolbar4
Folder Deleted : C:\Users\Marie\AppData\LocalLow\Vgrabber_v1

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\Fun Web Products
Key Deleted : HKCU\Software\AppDataLow\Software\FunWebProducts
Key Deleted : HKCU\Software\AppDataLow\Software\MyWebSearch
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\AppDataLow\Software\Vgrabber_v1
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\ilivid
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{1E0DE227-5CE4-4EA3-AB0C-8B03E1AA76BC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{338B4DFE-2E2C-4338-9E41-E176D497299E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7F7F82F1-7C95-47CD-814F-950B56D58FC3}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{338B4DFE-2E2C-4338-9E41-E176D497299E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7F7F82F1-7C95-47CD-814F-950B56D58FC3}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKCU\Software\SearchProtect
Key Deleted : HKCU\Software\Somoto Toolbar
Key Deleted : HKCU\Software\wecarereminder
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4CE516A7-F7AC-4628-B411-8F886DC5733E}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\TbCommonUtils.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\TbHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\Applications\ilividsetupv1.exe
Key Deleted : HKLM\SOFTWARE\Classes\ComObject.DeskbarEnabler
Key Deleted : HKLM\SOFTWARE\Classes\ComObject.DeskbarEnabler.1
Key Deleted : HKLM\SOFTWARE\Classes\ilivid
Key Deleted : HKLM\SOFTWARE\Classes\IMsiDe1egate.Application.1
Key Deleted : HKLM\Software\Classes\Installer\Features\2B1E51D87B2D71A44BB42DDD5E894160
Key Deleted : HKLM\Software\Classes\Installer\Products\2B1E51D87B2D71A44BB42DDD5E894160
Key Deleted : HKLM\SOFTWARE\Classes\SMTTB2009.IEToolbar
Key Deleted : HKLM\SOFTWARE\Classes\SMTTB2009.IEToolbar.1
Key Deleted : HKLM\SOFTWARE\Classes\SMTTB2009.SMTTB2009
Key Deleted : HKLM\SOFTWARE\Classes\SMTTB2009.SMTTB2009.3
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3268934
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3268935
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.SMTTB2009
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.SMTTB2009.1
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}
Key Deleted : HKLM\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook
Key Deleted : HKLM\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\ilivid
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{61442EE4-AEFC-46A6-95A3-3BCB6C3AC714}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\Software\SearchProtect
Key Deleted : HKLM\Software\Vgrabber_v1
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{1C950DE5-D31E-42FB-AFB9-91B0161633D8}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{338B4DFE-2E2C-4338-9E41-E176D497299E}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3BDF4CE9-E81D-432B-A55E-9F0570CE811F}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{57CADC46-58FF-4105-B733-5A9F3FC9783C}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{61442EE4-AEFC-46A6-95A3-3BCB6C3AC714}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{7F7F82F1-7C95-47CD-814F-950B56D58FC3}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{9F34B17E-FF0D-4FAB-97C4-9713FEE79052}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A9A56B8E-2DEB-4ED3-BC92-1FA450BCE1A5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{AE338F6D-5A7C-4D1D-86E3-C618532079B5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{C339D489-FABC-41DD-B39D-276101667C70}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D565B35E-B787-40FA-95E3-E3562F8FC1A0}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D89031C2-10DA-4C90-9A62-FCED012BC46B}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3644432D-FD54-4566-BF9B-27A8D62BBF06}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{42033286-404C-4409-93C8-B981697D7762}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F7F82F1-7C95-47CD-814F-950B56D58FC3}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8D15E1B2-D2B7-4A17-B44B-D2DDE5981406}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Vgrabber_v1 Toolbar
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BF921DD3-732A-4A11-933B-A5EA49F2FD2C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D83B296A-2FA6-425B-8AE8-A1F33D99FBD6}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{338B4DFE-2E2C-4338-9E41-E176D497299E}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{7F7F82F1-7C95-47CD-814F-950B56D58FC3}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{7F7F82F1-7C95-47CD-814F-950B56D58FC3}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{CA3EB689-8F09-4026-AA10-B9534C691CE0}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{7F7F82F1-7C95-47CD-814F-950B56D58FC3}]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{338B4DFE-2E2C-4338-9E41-E176D497299E}]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{7F7F82F1-7C95-47CD-814F-950B56D58FC3}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16476

[OK] Registry is clean.

-\\ Mozilla Firefox v14.0.1 (en-US)

File : C:\Users\Marie\AppData\Roaming\Mozilla\Firefox\Profiles\d4pi8j0p.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v26.0.1410.64

File : C:\Users\Marie\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [10319 octets] - [15/05/2013 09:27:37]

########## EOF - C:\AdwCleaner[S1].txt - [10380 octets] ##########
 
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Malwarebytes Anti-Rootkit gave the message that no malware was found....Does this mean that the laptop is clean?
Click to expand...

No, not necessarily. We need to use a few more tools to be certain. How is your PC running by the way?

Run Eset NOD32 Online AntiVirus here

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
    • Scan unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log in your next reply to this topic.
  • The log can also be found in logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt
 
E

efree777

New Member
Thread author
May 14, 2013
8
Well, the laptop seems much more responsive, but as you can see below, the Eset online antivirus scanner found several threats.
C:\FRST\Quarantine\SearchProtect\bin\ChromeModule.dll a variant of Win32/Conduit.SearchProtect.C application
C:\FRST\Quarantine\SearchProtect\bin\cltmng.exe a variant of Win32/Conduit.SearchProtect.B application
C:\FRST\Quarantine\SearchProtect\bin\FirefoxModule.dll a variant of Win32/Conduit.SearchProtect.C application
C:\FRST\Quarantine\SearchProtect\bin\InternetExplorerModule.dll a variant of Win32/Conduit.SearchProtect.C application
C:\FRST\Quarantine\SearchProtect\SearchProtect\bin\ChromeModule.dll a variant of Win32/Conduit.SearchProtect.C application
C:\FRST\Quarantine\SearchProtect\SearchProtect\bin\cltmng.exe a variant of Win32/Conduit.SearchProtect.B application
C:\FRST\Quarantine\SearchProtect\SearchProtect\bin\FirefoxModule.dll a variant of Win32/Conduit.SearchProtect.C application
C:\FRST\Quarantine\SearchProtect\SearchProtect\bin\InternetExplorerModule.dll a variant of Win32/Conduit.SearchProtect.C application
C:\FRST\Quarantine\SearchProtect\SearchProtect\bin\SPHook32.dll probably a variant of Win32/Conduit.SearchProtect.C application
C:\FRST\Quarantine\SearchProtect\SearchProtect\ffprotect\application.js Win32/Conduit.SearchProtect.A application
C:\Program Files (x86)\iWonEI\Installr\1.bin\jfEIPlug.dll a variant of Win32/Toolbar.MyWebSearch application
C:\Program Files (x86)\Win7codecs\Tools\Settings32.exe Win32/Packed.Autoit.C.Gen application
C:\ProgramData\Spybot - Search & Destroy\Recovery\FunWebProducts141.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\FunWebProducts61.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch209.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch215.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch346.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch352.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch4.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\WiIQfraud19.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\FunWebProducts141.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\FunWebProducts61.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch209.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch215.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch346.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch352.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch4.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\WiIQfraud19.zip Win32/Bagle.gen.zip worm
C:\Users\Marie\Downloads\FreemakeVideoDownloaderSetup.exe Win32/OpenCandy application
C:\Users\Marie\Downloads\iLividSetup(1).exe Win32/Toolbar.SearchSuite application
C:\Users\Marie\Downloads\iLividSetup(2).exe Win32/Toolbar.SearchSuite application
C:\Users\Marie\Downloads\iLividSetup(3).exe Win32/Toolbar.SearchSuite application
C:\Users\Marie\Downloads\Setup.exe a variant of Win32/Adware.iBryte.G application
C:\Users\Marie\Downloads\youtubedownloadplayer-setup.exe Win32/DownloadAdmin.G application
 
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Hi,

Looks like there are some stuff remaining. The majority of the "threats" are already quarantined by other tools.

Download OTL by Old Timer from here and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Click the Scan All Users checkbox.
  • Check the boxes beside LOP Check and Purity Check
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
  • Please attach the contents of these 2 Notepad files in your next reply.

If you don't know how to attach the files, please follow the instructions here: http://malwaretips.com/Thread-How-to-use-the-attachment-system?pid=16072#pid16072
 
E

efree777

New Member
Thread author
May 14, 2013
8
This scan only gave me the OTL.txt file (I didn't get the Extra.txt file)
 

Attachments

  • OTL.Txt
    120.1 KB · Views: 101
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Ok, that is fine. Let me know if your PC is all find after the OTL fix.

Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
IE - HKLM\..\SearchScopes\{362269bd-c93c-460f-9255-3bd667eb7f0a}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZLxdm248YYUS&ptb=3C1CBEC9-A049-4FB6-8192-2F41A7281542&psa=&ind=2010083100&ptnrS=ZLxdm248YYUS&si=gem3564&st=sb&n=77cf6f1c&searchfor={searchTerms}
IE - HKU\S-1-5-21-767052454-1278637375-1300389408-1003\..\URLSearchHook: {CA3EB689-8F09-4026-AA10-B9534C691CE0} - No CLSID value found
O4 - HKLM..\Run: [SearchProtection] C:\ProgramData\Search Protection\_run.bat ()
O4 - HKU\.DEFAULT..\Run: [SearchProtect] \SearchProtect\bin\cltmng.exe File not found
O4 - HKU\S-1-5-18..\Run: [SearchProtect] \SearchProtect\bin\cltmng.exe File not found
[2013/05/13 16:40:45 | 000,000,000 | ---D | C] -- C:\SearchProtect
[2009/12/25 21:29:45 | 000,000,000 | ---D | M] -- C:\Users\Marie\AppData\Roaming\Win7codecs

:Files
C:\ProgramData\Search Protection
C:\Program Files (x86)\iWonEI
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]
Click to expand...

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.


Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A notepad document should open automatically called checkup.txt.
  • Please post the contents of that document in your next reply. Please do not attach it!
 
E

efree777

New Member
Thread author
May 14, 2013
8
FROM OTL FIX:

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{362269bd-c93c-460f-9255-3bd667eb7f0a}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{362269bd-c93c-460f-9255-3bd667eb7f0a}\ not found.
Registry value HKEY_USERS\S-1-5-21-767052454-1278637375-1300389408-1003\Software\Microsoft\Internet Explorer\URLSearchHooks\\{CA3EB689-8F09-4026-AA10-B9534C691CE0} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SearchProtection deleted successfully.
C:\ProgramData\Search Protection\_run.bat moved successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\SearchProtect deleted successfully.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\SearchProtect not found.
C:\SearchProtect\ffprotect folder moved successfully.
C:\SearchProtect folder moved successfully.
C:\Users\Marie\AppData\Roaming\Win7codecs folder moved successfully.
========== FILES ==========
C:\ProgramData\Search Protection folder moved successfully.
C:\Program Files (x86)\iWonEI\Installr\setups folder moved successfully.
C:\Program Files (x86)\iWonEI\Installr\1.bin\chrome folder moved successfully.
C:\Program Files (x86)\iWonEI\Installr\1.bin folder moved successfully.
C:\Program Files (x86)\iWonEI\Installr folder moved successfully.
C:\Program Files (x86)\iWonEI folder moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Marie\Desktop\cmd.bat deleted successfully.
C:\Users\Marie\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56475 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Marie
->Temp folder emptied: 27012178 bytes
->Temporary Internet Files folder emptied: 22604955 bytes
->Java cache emptied: 52586492 bytes
->FireFox cache emptied: 70989297 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 57026 bytes

User: NeroMediaHomeUser.4
->Temp folder emptied: 35840 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 35086134 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50741 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 753 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 84793 bytes
RecycleBin emptied: 213002 bytes

Total Files Cleaned = 199.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 05162013_102333

Files\Folders moved on Reboot...
C:\Users\Marie\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Marie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
C:\Users\Marie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\SuggestedSites.dat moved successfully.
C:\Users\Marie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WEI2LL9U\count[2].js moved successfully.
C:\Users\Marie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GJ5SEV8K\fastbutton[1].htm moved successfully.
C:\Users\Marie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2P6VK62X\Thread-can-t-get-rid-of-w32-downloader-gen[1].htm moved successfully.
C:\Users\Marie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2P6VK62X\tweet_button.1368146021[1].htm moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...


FROM SECURITYCHECK:

Results of screen317's Security Check version 0.99.63
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Lavasoft Ad-Aware
Norton Internet Security
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Ad-Aware
MVPS Hosts File
Spybot - Search & Destroy
Java(TM) 6 Update 22
Java version out of Date!
Adobe Flash Player 11.7.700.202
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox 14.0.1 Firefox out of Date!
Google Chrome 25.0.1364.172
Google Chrome 26.0.1410.64
Google Chrome plugins...
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
Spybot Teatimer.exe is disabled!
Ad-Aware Antivirus AdAwareService.exe
Ad-Aware Antivirus SBAMSvc.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
 
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Looks good. Unless you have any other problems, we will clean up. I would say you don't need Ad-aware and Spybot as they somewhat ineffective nowadays. You are better off using Sandboxie for further protection (I provided the info below)

If you are no longer experiencing any other issues, your PC is now clean!

Double click on OTL to run it
  • Click on the Cleanup button at the top.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes
  • This will remove itself and other tools we may have used.

Also, open adwCleaner and click Uninstall



Now that your PC is clean, I recommend you to create a new System Restore point then purge the old ones after.

For Windows 7
Create a restore point
Delete all but the most recent restore point - Click the Delete all but the most recent restore point link



Keep your system updated
Please go to control panel and uninstall the following:

Java™ 6 Update 22
Adobe Reader 9

Delete older Java version from your computer by downloading JavaRa
  • Run JavaRa.exe, then click Remove JRE.
  • Let the tool run
  • Once it finishes, close JavaRa

Currently, the following programs on your PC are outdated:
  • Java - Update Java here
  • Adobe reader - Update Adobe Reader here
Keeping your programs (especially Adobe and Java products) updated is essential. Outdated programs make your PC more vulnerable to future malware threats. To help you:
  • Download and install Update Checker. It will notify you if any of your programs require an update.
  • Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office product bugs and vulnerabilities.
  • Please ensure you update your system regularly and have automatic updates on. You can learn how to turn Automatic Updates on here

Other steps that you may want to do to further protect your system/files:
  • Sandboxie - "Quarantines" your browser so anything that you do in it will be isolated from your system.
  • Backup important files regulary to an external hard-drive or USB

Here are only a few suggestions that will improve your system security. Should you wish to allow us to make full recommendations and set your PC up with maximum security, please start a thread here. Our community of PC enthusiasts and experts will give you feedback and help you secure your system from future malware infections.

Should you want to try a product but don't know how it performs, here is a list of current reviews to help you decide.

Internet Explorer may be the most popular browser but it's definitely not the most secure browser. Consider using other browsers with addition add-ons to safeguard your system while browsing the internet.

Firefox is a more secure, faster browser than Internet Explorer. Firefox contains less vulnerabilities, reducing the risk of drive-by downloads. In addition, you can add the following add-ons to increase security.
  • KeyScramber - Encrypts your keystrokes to protect you against keyloggers that steals personal & banking information
  • AdBlock - Disable/blocks advertisements on websites so you won't accidentally click on a malicious ad.
  • NoScript - Disables Flash & Java contents to avoid exploits or drive-by attacks
  • Web of Trust - Shows the website rating by other users and blocks dangerous and poor-rated sites

Google Chrome is another good browser that is faster and more secure than Internet Explorer by having a sandbox feature. Additionally, you can add the following add-on to Chrome to heighten security.

Lastly, it is important to perform system maintenance on a regular basis. Here are a few tools and on-demand scanners that you should keep & use every 1-2 weeks to keep your system healthy.

Other than that, stay safe out there! If you have any other questions or concerns, feel free to ask :)

My virus removal help is always free. Should you wish to show your appreciation via a donation, it will be much appreciated.
 
E

efree777

New Member
Thread author
May 14, 2013
8
It appears to be working much better. I removed adaware and spybot and will use ccleaner and malwarebytes from this point on (I also took your advice and installed sandboxie).
I will keep an eye on it over the next few days and if it seems to be working as it should, I will donate a few bucks for your trouble.
I appreciate all the help.
 
E

efree777

New Member
Thread author
May 14, 2013
8
I do have one more question to ask. Before lunch today I started Malwarebytes performing a full system scan. Right now, it is still running (7 hours later). This laptop (Asus N50V) is probably about 4 years old, but should it take 7+ hours to run a full system scan? This seems excessive.
 

Similar threads

K
  • Locked
No Reply cant get rid of myhoroscopepro
Replies
2
Views
252
Windows Malware Removal Help & Support
icotonev
icotonev
F
  • Locked
search engine keeps changing to yahoo
Replies
10
Views
518
Windows Malware Removal Help & Support
nasdaq
nasdaq
H
  • Locked
Cannot remove CANISLUPUSPALLIPES
Replies
4
Views
414
Windows Malware Removal Help & Support
nasdaq
nasdaq

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top