Previous Topic Next Topic

Think I got a virus

Solved/Closed
hemstuck Posts 6 Registration date Thursday July 18, 2013 Status Member Last seen February 1, 2014 - Jul 18, 2013 at 07:55 PM
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 - Jul 26, 2013 at 04:54 PM
Hi people
Need help
this happened on a sight I believe where I down loaded c cleaner but not sure ! I beleive it is the Defender virus as my essentials security will not scan now and if it try and down load or operate anything that looks like a virus checker it will delete it of not let it load!
Any help would be a big deal here bare in mind I'm not real tecky so its a rel effort for me to wrap my head around doing anything much more than control alt delete!
tried Trend micro online scan but the little bugger stops TM dead in its tracks calls it a virus and deletes it!
Related:

19 responses

Answer 1 / 19
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,169
Jul 19, 2013 at 06:27 AM
To help you and prescribe the remedy, I must make a diagnostic and to do so, I require a log.

1. Open this link and download ZHPDiag2 :

https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html

(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message.)

2. Save the file on your Desktop.

3. Double click on ZHPDiag.exe and follow the installation instructions.

The tool creates three icons ZHPDiag, MRB, and ZHPFix (If necessary,we will use ZHPFix at the next step).

4. Double click on the short cut ZHPDiag on your Destktop.

5. Click on the green arrow to ensure you have the latest version. Click on the eyedropper icon and ensure all of the items are checked.

6. Click on the Magnifying glass with the + sign and run the analysis.

Wait for the tool to finished (maybe a long time)

7. Close ZHPDiag.

8. To transmit the report, click on this link :

https://authentification.site

9. Search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt).

10. Select the file ZHPDiag.txt.

11. Click on "upload »

12. Copy the URL and post it here.

Best regards

Ambucias
Moderator /Security Contributor
0
Answer 2 / 19
hemstuck Posts 6 Registration date Thursday July 18, 2013 Status Member Last seen February 1, 2014
Jul 19, 2013 at 08:20 AM
Hello Ambucias thanks for the reply ! The link you sent did the same as the other scans this bug recognizes any virus scan and will not allow it to run. When I went to down load the program it flags up scan failed.
0
Answer 3 / 19
hemstuck Posts 6 Registration date Thursday July 18, 2013 Status Member Last seen February 1, 2014
Jul 19, 2013 at 08:35 AM
Heres one excuses it gives I could not copy and paste them all!
Im running windows 7 ultimate if this will help sort this out.

Antivirus software detected a virus. Your downloaded file may have a virus, as a result the file you attempted to download was removed by the windows attachment manager

Unfortunately the bug ties up everything system recovery only goes back to the date of the attack yada yada I can't copy and paste the running processes can I?
0
Answer 4 / 19
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,169
Jul 19, 2013 at 04:26 PM
Please boot in safe mode with networking and then follow my instructions for ZHP Diag. If it fails, I have another solution.
0

Didn't find the answer you are looking for?

Ask a question
Answer 5 / 19
hemstuck Posts 6 Registration date Thursday July 18, 2013 Status Member Last seen February 1, 2014
Jul 19, 2013 at 07:56 PM
Im in safe mode As I type this The same deal happened failed it seemed to down load but didn't complete!
0
Answer 6 / 19
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,169
Jul 20, 2013 at 05:04 AM
Okay, I suspect that you have a rogue Trojan Horse.

Please follow the following procedure carefully and to the letter.

You have a rogue virus Trojan Horse which is self protective, thus it will prevent any antivirus from fonctionning.

You must kill the evil processes which the virus is presently running amd preventing you from running any antivirus. If you don't it will keep reproducing the files for ever.

To kill the processes:

1. Download to your desktop and run Rogue Kill:

https://download.bleepingcomputer.com/grinler/rkill.com

2. You should now see a window that shows all of your desktop icons, including the rkill.com program.

3. Double-click on the rkill.com in order to automatically attempt to stop any processes associated with the Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step.

If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the Horse when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the processes . So, please try running Rkill until malware is no longer running.

As a matter of a fact, if you get messages, it is a sign that the virus is agonizing with excrutiating pain, so you can just grin while it is suffering!:)))

Please, DO NOT REBOOT your computer or the processes will come back to haunt you!

Download to your desktop Malwarebyte.

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/

Once on your desktop, we must still outwit the virus.

Right click on the MBAM icon and click on rename. Rename it kioskea.exe.

Install Malwarebyte and launch it. From the second tab, update it.

Pretty please, request a FULL system scan which should take more than hour. Once the scan is finish, delete all of item that were found.

Still do not reboot, but Download and run ZHP Diag.

Good luck
0
Answer 7 / 19
hemstuck Posts 6 Registration date Thursday July 18, 2013 Status Member Last seen February 1, 2014
Jul 20, 2013 at 08:21 AM
Well Bud that did the same thing in safe mode this bug seems to know all the angles .Same result with that link Guess were shooting in the dark here, is there anything I can look for in the running process to see what bug were dealing with???
0
Answer 8 / 19
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,169
Jul 20, 2013 at 05:06 PM
I see my Canadian friend, it is a sticky wicket indeed.

Please hold on while I consult with a colleague on this issue. He may communicate with you directly with a French accent. His nick is juju666.

Catch you later alligator.
0
Answer 9 / 19
hemstuck Posts 6 Registration date Thursday July 18, 2013 Status Member Last seen February 1, 2014
Jul 20, 2013 at 09:28 PM
Well thanx for the tries anyway these little buggers seem to like to live on!
for the life of me don't see the jollies in these programs people create to make others feel uncomfortable its not like fire bug where you can watch the fire burn after.It must be the change of defeating the mighty Microsoft gurus that entertain these guys , (Try and fix this guys) at the expense of us dummys out here in the great white north Or maybe its the anti virus dudes creating work for them selves
This one is obviously not the antivirus dudes No one has come up as a hero yet! :-) long as your bud types English I'll be alright I don't hear well and have hard times with all accents and people that don't speak up! :-(

thanx again for your expertise .
I will await more tutor-age
0
Answer 10 / 19
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,169
Jul 21, 2013 at 05:53 AM
Hello,

I totally agree with you. You may wish to print these instructions.

We will try this:

1. Download this Rogue Killer, preferably from another computer but don't run it yet:

https://www.adlice.com/roguekiller/

2. Transfer Rogue Killer on a pen drive or flash drive.

3. Connect the pen drive.

4. Restart you machine in safe mode and choose safe mode with command prompt.

5. Type the letter of the volume of your pendrive, ie E:/>

(could be another letter)

6. you should see the files on your pendrive.

7. Type roguekiller and press enter the programme should open

8. Click on scan, once the scan is finished, click on delete

9. Close Roguekiller and type shutdown /r and press enter and click ok

10. Run Malwarebyte again

11. Download the following Adwcleaner created by Xplode

https://ccm.net/downloads/security-and-maintenance/6911-adwcleaner/

Launch it (for Windows 7 and 8, click right to run as administrator)
Click on delete

12. Follow my instructions for ZHP Diag.

Good luck and God save the Queen !
0
Answer 11 / 19
hemstuck
Jul 22, 2013 at 10:52 PM
K Problem solved the last trick dodged the little bugger!
Thanx so much Ambucias and friends for all your efforts.
The rogue killer seemed to do the trick.Time will tell I spose

The queen has another grand child as of today!
God save the Queen and the grand children! :-)
0
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,169
Jul 23, 2013 at 05:52 AM
Please run a ZHP Diag and upload on Speedyshare.

This is probably not the end of it.

Yep ! It's a boy ! I hope they won't call him Stephen, Harper would faint.
0
Answer 12 / 19
hemstuck
Jul 23, 2013 at 08:53 AM
Rapport de ZHPDiag v2013.7.22.36 par Nicolas Coolman, Update du 7/22/2013
Run by Laura at 7/23/2013 5:40:16 AM
WebSite: http://nicolascoolman.webs.com
State : Your version is update.
WhiteList : Enable
High Elevated Privileges : OK
UAC : Deactivate by program


---\\ Web Browser
MSIE: Internet Explorer v10.0.9200.16635
MFIE: Mozilla Firefox 22.0
GCIE: Google Chrome v28.0.1500.72 (Defaut)

---\\ Windows Product Information
~ Langage: Anglais
Windows 7 Ultimate Edition, 32-bit Service Pack 1 (Build 7601)
Windows Server License Manager Script : OK
~ Windows(R) 7, RETAIL channel
Software Protection Service (Protection logicielle) : OK
Windows Automatic Updates : OK
Windows Activation Technologies : OK

---\\ System Protection
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft Security Client v4.2.0223.1
Windows Defender W7

---\\ System Optimizer

---\\ Peer To Peer (P2P)
µTorrent v3.2.1.28086 =>P2P.µTorrent

---\\ Software Update
Adobe Flash Player 11 Plugin
Adobe Reader X

---\\ System Information
~ Processor: x86 Family 6 Model 15 Stepping 13, GenuineIntel
~ Operating System: 32 Bits
Boot mode: Normal (Normal boot)
Total RAM: 2038.4 MB (52% free)
System Restore: Activé (Enable)
System drive C: has 178 GB (76%) free of 233 GB

---\\ Logged in mode
~ Computer Name: LAURA-PC
~ User Name: Laura
~ All Users Names: Laura, HomeGroupUser$, Guest, ASPNET, Administrator,
~ Unselected Option: O45,O61,O62,O65,O66,O80,O82,O89
Logged in as Administrator

---\\ Environnement Variables
~ System Unit : C:\
~ %AppData% : C:\Users\Laura\AppData\Roaming\
~ %Desktop% : C:\Users\Laura\Desktop\
~ %Favorites% : C:\Users\Laura\Favorites\
~ %LocalAppData% : C:\Users\Laura\AppData\Local\
~ %StartMenu% : C:\Users\Laura\AppData\Roaming\Microsoft\Windows\Start Menu\
~ %Windir% : C:\Windows\
~ %System% : C:\Windows\System32\

---\\ DOS/Devices
C:\ Hard drive, Flash drive, Thumb drive (Free 178 Go of 233 Go)
D:\ CD-ROM drive (Not Inserted)



---\\ Security Center & Tools Informations
~ Security Center: 26 Legitimates Filtered in 00mn AMs



---\\ Search Generic System Files
[MD5.8B88EBBB05A0E56B7DCC708498C02B3E] - (.Microsoft Corporation - Windows Explorer.) (.2/24/2011 - 9:30:54 PM.) -- C:\Windows\Explorer.exe [2616320]
[MD5.B5C5DCAD3899512020D135600129D665] - (.Microsoft Corporation - Windows Start-Up Application.) (.7/13/2009 - 5:14:45 PM.) -- C:\Windows\System32\Wininit.exe [96256]
[MD5.9BF7C7654EFD098EE3A27B49492A382A] - (.Microsoft Corporation - Internet Extensions for Win32.) (.6/11/2013 - 3:43:37 PM.) -- C:\Windows\System32\wininet.dll [1767936]
[MD5.6D13E1406F50C66E2A95D97F22C47560] - (.Microsoft Corporation - Windows Logon Application.) (.11/20/2010 - 4:17:54 AM.) -- C:\Windows\System32\Winlogon.exe [286720]
[MD5.E3AE23569749DE12D45BA3B489A036AE] - (.Microsoft Corporation - Software Licensing Library.) (.11/20/2010 - 4:21:24 AM.) -- C:\Windows\System32\sppcomapi.dll [193536]
[MD5.9EBBBA55060F786F0FCAA3893BFA2806] - (.Microsoft Corporation - Ancillary Function Driver for WinSock.) (.4/24/2011 - 6:18:03 PM.) -- C:\Windows\system32\Drivers\AFD.sys [338944]
[MD5.338C86357871C167A96AB976519BF59E] - (.Microsoft Corporation - ATAPI IDE Miniport Driver.) (.7/13/2009 - 5:26:15 PM.) -- C:\Windows\system32\Drivers\atapi.sys [21584]
[MD5.77EA11B065E0A8AB902D78145CA51E10] - (.Microsoft Corporation - CD-ROM File System Driver.) (.7/13/2009 - 3:11:15 PM.) -- C:\Windows\system32\Drivers\Cdfs.sys [70656]
[MD5.BE167ED0FDB9C1FA1133953C18D5A6C9] - (.Microsoft Corporation - SCSI CD-ROM Driver.) (.11/20/2010 - 12:38:10 AM.) -- C:\Windows\system32\Drivers\Cdrom.sys [108544]
[MD5.F024449C97EC1E464AAFFDA18593DB88] - (.Microsoft Corporation - DFS Namespace Client Driver.) (.11/20/2010 - 12:42:32 AM.) -- C:\Windows\system32\Drivers\DfsC.sys [78336]
[MD5.9036377B8A6C15DC2EEC53E489D159B5] - (.Microsoft Corporation - High Definition Audio Bus Driver.) (.11/20/2010 - 1:59:29 AM.) -- C:\Windows\system32\Drivers\HDAudBus.sys [108544]
[MD5.F151F0BDC47F4A28B1B20A0818EA36D6] - (.Microsoft Corporation - i8042 Port Driver.) (.7/13/2009 - 3:11:24 PM.) -- C:\Windows\system32\Drivers\i8042prt.sys [80896]
[MD5.A5FA468D67ABCDAA36264E463A7BB0CD] - (.Microsoft Corporation - IP Network Address Translator.) (.7/13/2009 - 3:54:29 PM.) -- C:\Windows\system32\Drivers\IpNat.sys [101888]
[MD5.5D16C921E3671636C0EBA3BBAAC5FD25] - (.Microsoft Corporation - Windows NT SMB Minirdr.) (.4/26/2011 - 6:17:22 PM.) -- C:\Windows\system32\Drivers\MRxSmb.sys [123904]
[MD5.280122DDCF04B378EDD1AD54D71C1E54] - (.Microsoft Corporation - MBT Transport driver.) (.11/20/2010 - 12:39:44 AM.) -- C:\Windows\system32\Drivers\netBT.sys [187904]
[MD5.5E43D2B0EE64123D4880DFA6626DEFDE] - (.Microsoft Corporation - NT File System Driver.) (.4/12/2013 - 5:45:29 AM.) -- C:\Windows\system32\Drivers\ntfs.sys [1211752]
[MD5.2EA877ED5DD9713C5AC74E8EA7348D14] - (.Microsoft Corporation - Parallel Port Driver.) (.7/13/2009 - 3:45:35 PM.) -- C:\Windows\system32\Drivers\Parport.sys [79360]
[MD5.D9F91EAFEC2815365CBE6D167E4E332A] - (.Microsoft Corporation - RAS L2TP mini-port/call-manager driver.) (.7/13/2009 - 3:54:34 PM.) -- C:\Windows\system32\Drivers\Rasl2tp.sys [78848]
[MD5.B973FCFC50DC1434E1970A146F7E3885] - (.Microsoft Corporation - Microsoft RDP Device redirector.) (.11/20/2010 - 2:24:46 AM.) -- C:\Windows\system32\Drivers\rdpdr.sys [133632]
[MD5.3E21C083B8A01CB70BA1F09303010FCE] - (.Microsoft Corporation - SMB Transport driver.) (.7/13/2009 - 3:53:41 PM.) -- C:\Windows\system32\Drivers\smb.sys [71168]
[MD5.B459575348C20E8121D6039DA063C704] - (.Microsoft Corporation - TDI Translation Driver.) (.11/20/2010 - 12:39:17 AM.) -- C:\Windows\system32\Drivers\tdx.sys [74752]
[MD5.F497F67932C6FA693D7DE2780631CFE7] - (.Microsoft Corporation - Volume Shadow Copy Driver.) (.11/20/2010 - 4:30:16 AM.) -- C:\Windows\system32\Drivers\volsnap.sys [245632]
~ Generic Processes: Scanned in 00mn AMs



---\\ Hidden files state (Hidden/Total)
~ Mes images (My Pictures) : 2/264
~ Mes musiques (My Musics) : 1/180
~ Mes Favoris (My Favorites) : 1/488
~ Mes Documents (My Documents) : 4/156
~ Mon Bureau (My Desktop) : 1/460
~ Menu demarrer (Programs) : 1/22
~ Hidden Files: Scanned in 01mn AMs



---\\ Running Processes
[MD5.D1D5DAB39DCB4BE0359943738D87409B] - (.Malwarebytes Corporation - Malwarebytes Anti-Malware.) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [532040] [PID.1780]
[MD5.68239842340DDFF8993DFD9127553EDA] - (.Intel Corporation - igfxTray Module.) -- C:\Windows\System32\igfxtray.exe [141848] [PID.3740]
[MD5.004763BDF8E48244DBB9FDFDE3065EBC] - (.Intel Corporation - hkcmd Module.) -- C:\Windows\System32\hkcmd.exe [173592] [PID.3756]
[MD5.CD1102E5D340216138C7F56FA8D26998] - (.Intel Corporation - persistence Module.) -- C:\Windows\System32\igfxpers.exe [150552] [PID.3768]
[MD5.D9C51528488EA0D98D3C4D02ABD16759] - (.Intel Corporation - igfxsrvc Module.) -- C:\Windows\system32\igfxsrvc.exe [252952] [PID.3928]
[MD5.98A078F838A70F84E1BD490D7C7675F4] - (.Sun Microsystems, Inc. - Java(TM) Update Scheduler.) -- C:\Program Files\Common Files\Java\Java Update\jusched.exe [254696] [PID.2236]
[MD5.C26B09276755E0698B31CF0BAE0BF182] - (.Apple Inc. - Apple Push.) -- C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280] [PID.2200]
[MD5.E774F875819DEE4A312A921A88F779FE] - (.Microsoft Corporation - IPoint.exe.) -- C:\Program Files\Microsoft IntelliPoint\ipoint.exe [1821576] [PID.2476]
[MD5.E4401CF27225C1D6E664E86195978562] - (.Apple Inc. - iTunesHelper.) -- C:\Program Files\iTunes\iTunesHelper.exe [152544] [PID.912]
[MD5.C7391769FCD6E04196EE8CA831E2C7E8] - (.Apple Inc. - iCloud.) -- C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe [59872] [PID.3232]
[MD5.19384B2D2976C16971DA567653D5DF95] - (.Apple Inc. - ApplePhotoStreams.exe.) -- C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59872] [PID.200]
[MD5.5ED88C99410A8262112F7550402151DF] - (.Apple Inc. - BookmarkDAV_client.exe.) -- C:\Program Files\Common Files\Apple\Internet Services\BookmarkDAV_client.exe [59872] [PID.3480]
[MD5.B54921381A950C8215FB363B485C432B] - (.Hewlett-Packard Co. - HP Digital Imaging Monitor.) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [270336] [PID.3668]
[MD5.CB037F03178E31BA2985ADD15879CA56] - (.Google Inc. - Google Chrome.) -- C:\Program Files\Google\Chrome\Application\chrome.exe [846288] [PID.3700]
[MD5.7C5A4D3222DEA5570C8F08EC7FC74199] - (.Sun Microsystems, Inc. - Java(TM) Update Checker.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe [508136] [PID.4280]
[MD5.9265DC583D291B5C5C5631231BFD14B2] - (.Nicolas Coolman - ZHPDiag.) -- C:\Program Files\ZHPDiag\ZHPDiag.exe [7748096] [PID.3972]
~ Processes Running: Scanned in 00mn AMs



---\\ Google Chrome, Start,Search,Extensions (G0,G1,G2)
C:\Users\Laura\AppData\Local\Google\Chrome\User Data\Default\Preferences
G0 - GCSP: Preference [User Data\Default][HomePage] http://www.theweathernetwork.com
G2 - GCE: Preference [User Data\Default] [ejpbbhjlbipncjklfjjaedaieimbmdda] uTorrentControl_v2 v.2.3.19.11 (Désactivé) =>P2P.µTorrent
~ Google Browser: 13 Legitimates Filtered in 14mn AMs



---\\ Mozilla Firefox,Plugins,Start,Search,Extensions (P2,M0,M1,M2,M3)
C:\Users\Laura\AppData\Roaming\Mozilla\Firefox\Profiles\nx8cg407.default\prefs.js
M3 - MFPP: Plugins - [Laura] -- C:\Users\Laura\AppData\Roaming\Mozilla\Firefox\Profiles\nx8cg407.default\searchplugins\askcom.xml
M3 - MFPP: Plugins - [Laura] -- C:\Users\Laura\AppData\Roaming\Mozilla\Firefox\Profiles\nx8cg407.default\searchplugins\conduit.xml
M0 - MFSP: prefs.js [Laura - nx8cg407.default] http://search.conduit.com
M2 - MFEP: prefs.js [Laura - nx8cg407.default\{7473b6bd-4691-4744-a82b-7854eb3d70b6}] [] uTorrentControl_v2 v10.16.4.519 (..) =>P2P.µTorrent
~ Firefox Browser: 11 Legitimates Filtered in 00mn AMs



---\\ Internet Explorer Extensions, Start, Search (R4,R3,R0,R1)
R0 - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.theweathernetwork.com
~ IE Browser: 11 Legitimates Filtered in 00mn AMs



---\\ Internet Explorer, Proxy Management (R5)
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = no key
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyEnable = 0
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,MigrateProxy = 1
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,EnableHttp1_1 = 1
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigProxy = wininet.dll
~ Proxy management: Scanned in 00mn AMs



---\\ Line Analysis F0, F1, F2, F3 - IniFiles, Auto loading programs
F2 - REG:system.ini: USERINIT=C:\Windows\system32\userinit.exe,
F2 - REG:system.ini: Shell=C:\Windows\explorer.exe
F2 - REG:system.ini: VMApplet=C:\Windows\System32\SystemPropertiesPerformance.exe
~ Keys: Scanned in 00mn AMs



---\\ Hosts file redirection (O1)
~ Le fichier hosts est sain (The hosts file is clean).
~ Hosts File: Scanned in 00mn AMs
~ Nombre de lignes (Lines number): 21



---\\ Browser Helper Objects (O2)
O2 - BHO: uTorrentControl_v2 - {7473b6bd-4691-4744-a82b-7854eb3d70b6} . (.Conduit Ltd. - Conduit Toolbar.) -- C:\Program Files\uTorrentControl_v2\prxtbuTor.dll =>P2P.µTorrent
~ BHO: 5 Legitimates Filtered in 00mn AMs



---\\ Internet Explorer toolbars (O3)
O3 - Toolbar: uTorrentControl_v2 Toolbar - [HKLM]{7473b6bd-4691-4744-a82b-7854eb3d70b6} . (.Conduit Ltd. - Conduit Toolbar.) -- C:\Program Files\uTorrentControl_v2\prxtbuTor.dll =>P2P.µTorrent
O3 - Toolbar\WebBrowser: (no name) - [HKCU]{724D43A0-0D85-11D4-9908-00400523E39A} Orphean Key
O3 - Toolbar\WebBrowser: (no name) - [HKCU]{D4027C7F-154A-4066-A1AD-4243D8127440} Orphean Key
O3 - Toolbar\WebBrowser: (no name) - [HKCU]{2318C2B1-4965-11D4-9B18-009027A5CD4F} Orphean Key
O3 - Toolbar\WebBrowser: (no name) - [HKCU]{7473B6BD-4691-4744-A82B-7854EB3D70B6} Orphean Key
~ Toolbar: Scanned in 00mn AMs



---\\ Auto loading programs from Registry and folders (O4)
O4 - HKLM\..\Run: [IgfxTray] . (.Intel Corporation - igfxTray Module.) -- C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] . (.Intel Corporation - hkcmd Module.) -- C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] . (.Intel Corporation - persistence Module.) -- C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [hpqSRMon] . (.Hewlett-Packard - HpqSRmon.) -- C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [Adobe ARM] . (.Adobe Systems Incorporated - Adobe Reader and Acrobat Manager.) -- C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] . (.Sun Microsystems, Inc. - Java(TM) Update Scheduler.) -- C:\Program Files\Common Files\Java\Java Update\jusched.exe
O4 - HKLM\..\Run: [APSDaemon] . (.Apple Inc. - Apple Push.) -- C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe
O4 - HKLM\..\Run: [IntelliPoint] . (.Microsoft Corporation - IPoint.exe.) -- c:\Program Files\Microsoft IntelliPoint\ipoint.exe
O4 - HKLM\..\Run: [iTunesHelper] . (.Apple Inc. - iTunesHelper.) -- C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [MSC] . (.Microsoft Corporation - Microsoft Security Client User Interface.) -- c:\Program Files\Microsoft Security Client\msseces.exe
O4 - HKCU\..\Run: [iCloudServices] . (.Apple Inc. - iCloud.) -- C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe
O4 - HKCU\..\Run: [ApplePhotoStreams] . (.Apple Inc. - ApplePhotoStreams.exe.) -- C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
O4 - HKCU\..\Run: [com.apple.dav.bookmarks.daemon] . (.Apple Inc. - BookmarkDAV_client.exe.) -- C:\Program Files\Common Files\Apple\Internet Services\BookmarkDAV_client.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] . (.Microsoft Corporation - Windows Desktop Gadgets.) -- C:\Program Files\Windows Sidebar\Sidebar.exe
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] . (.Microsoft Corporation - Windows Desktop Gadgets.) -- C:\Program Files\Windows Sidebar\Sidebar.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] . (.Microsoft Corporation - MCTAdmin.) -- C:\Windows\System32\mctadmin.exe
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] . (.Microsoft Corporation - MCTAdmin.) -- C:\Windows\System32\mctadmin.exe
O4 - HKUS\S-1-5-21-2752919900-1317857725-1217130271-1000\..\Run: [iCloudServices] . (.Apple Inc. - iCloud.) -- C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe
O4 - HKUS\S-1-5-21-2752919900-1317857725-1217130271-1000\..\Run: [ApplePhotoStreams] . (.Apple Inc. - ApplePhotoStreams.exe.) -- C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
O4 - HKUS\S-1-5-21-2752919900-1317857725-1217130271-1000\..\Run: [com.apple.dav.bookmarks.daemon] . (.Apple Inc. - BookmarkDAV_client.exe.) -- C:\Program Files\Common Files\Apple\Internet Services\BookmarkDAV_client.exe
~ Application: Scanned in 00mn AMs



---\\ Other User Links (O4)
O4 - GS\TaskBar: Internet Explorer.lnk . (.Microsoft Corporation - Internet Explorer.) -- C:\Program Files\Internet Explorer\iexplore.exe
O4 - GS\TaskBar: Microsoft Office Outlook 2003.lnk . (...) -- C:\Windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
O4 - GS\TaskBar: Windows Explorer.lnk . (.Microsoft Corporation - Windows Explorer.) -- C:\Windows\explorer.exe
O4 - GS\TaskBar: Windows Media Player.lnk . (.Microsoft Corporation - Windows Media Player.) -- C:\Program Files\Windows Media Player\wmplayer.exe
O4 - GS\Programs: Internet Explorer.lnk . (.Microsoft Corporation - Internet Explorer.) -- C:\Program Files\Internet Explorer\iexplore.exe
O4 - GS\QuickLaunch: Foxit Reader 5.0.lnk . (...) -- C:\Program Files\Foxit Software\Foxit Reader\Foxit Reader.exe
O4 - GS\QuickLaunch: Google Chrome.lnk . (.Google Inc. - Google Chrome.) -- C:\Program Files\Google\Chrome\Application\chrome.exe
O4 - GS\QuickLaunch: Launch Internet Explorer Browser.lnk . (.Microsoft Corporation - Internet Explorer.) -- C:\Program Files\Internet Explorer\iexplore.exe
O4 - GS\QuickLaunch: Launch Microsoft Office Outlook.lnk . (.Microsoft Corporation - Microsoft Office Outlook.) -- C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.exe
O4 - GS\QuickLaunch: Mozilla Thunderbird.lnk . (.Mozilla Messaging - Thunderbird.) -- C:\Program Files\Mozilla Thunderbird\thunderbird.exe
O4 - GS\QuickLaunch: µTorrent.lnk . (.BitTorrent, Inc. - µTorrent.) -- C:\Program Files\uTorrent\uTorrent.exe =>P2P.µTorrent
O4 - GS\Accessories: Internet Explorer (No Add-ons).lnk . (.Microsoft Corporation - Internet Explorer.) -- C:\Program Files\Internet Explorer\iexplore.exe
O4 - GS\Accessories: Private Character Editor.lnk . (.Microsoft Corporation - Private Character Editor.) -- C:\Windows\system32\eudcedit.exe
O4 - GS\SendTo: Fax Recipient.lnk . (.Microsoft Corporation - Microsoft Windows Fax and Scan.) -- C:\Windows\system32\WFS.exe
O4 - GS\Desktop: 2012-02-11 Dennis Readings - Shortcut.lnk . (...) -- C:\Users\Laura\Pictures\2012-02-11 Dennis Readings
O4 - GS\Desktop: Epson Stylus Photo RX500 (M) - Shortcut.lnk - Orphean Key
O4 - Global Startup: C:\Users\Laura\Desktop\Google.url . (...) -- C:\Users\Laura\Desktop\Google.url
O4 - GS\Desktop: pwds - Shortcut.lnk . (...) -- C:\Users\Laura\Documents\pwds.xls
O4 - GS\Desktop: Sound - Shortcut.lnk - Orphean Key
~ Global Startup: Scanned in 00mn AMs



---\\ Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu (O9)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} . (...) -- C:\Program Files\Microsoft Office\OFFICE11\REFBARH.ICO
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} . (.Hewlett-Packard Co. - HP Smart Web Printing add-on for Internet Explorer.) -- C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
~ IE Extra Buttons: Scanned in 00mn AMs



---\\ Winsock hijacker (Layered Service Provider) (O10)
O10 - WLSP:\000000000002\Winsock LSP File . (.Microsoft Corporation - E-mail Naming Shim Provider.) -- C:\Windows\system32\napinsp.dll
~ Winsock: 7 Legitimates Filtered in 00mn AMs



---\\ ActiveX Objects (Downloaded Program Files) (O16)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} ((no name)) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
~ Objets ActiveX: Scanned in 00mn AMs



---\\ Lop.com/Domain Hijackers (O17)
O17 - HKLM\System\CCS\Services\Tcpip\..\{409DDD88-4786-4418-A998-B06DF27803E6}: DhcpNameServer = 192.168.4.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F3D9B1D-1939-4A6B-A129-F2DD1CC3AE64}: DhcpNameServer = 192.168.1.1 64.59.160.15 64.59.161.69
O17 - HKLM\System\CCS\Services\Tcpip\..\{E030BEA0-FFC7-4461-9AFB-22E69D76E3EB}: DhcpNameServer = 184.151.118.254 70.28.245.227
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F3D9B1D-1939-4A6B-A129-F2DD1CC3AE64}: DhcpDomain = no.shawcable.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{409DDD88-4786-4418-A998-B06DF27803E6}: DhcpNameServer = 192.168.4.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{8F3D9B1D-1939-4A6B-A129-F2DD1CC3AE64}: DhcpNameServer = 192.168.1.1 64.59.160.15 64.59.161.69
O17 - HKLM\System\CS1\Services\Tcpip\..\{E030BEA0-FFC7-4461-9AFB-22E69D76E3EB}: DhcpNameServer = 184.151.118.254 70.28.245.227
O17 - HKLM\System\CS1\Services\Tcpip\..\{8F3D9B1D-1939-4A6B-A129-F2DD1CC3AE64}: DhcpDomain = no.shawcable.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{409DDD88-4786-4418-A998-B06DF27803E6}: DhcpNameServer = 192.168.4.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{8F3D9B1D-1939-4A6B-A129-F2DD1CC3AE64}: DhcpNameServer = 192.168.1.1 64.59.160.15 64.59.161.69
O17 - HKLM\System\CS2\Services\Tcpip\..\{E030BEA0-FFC7-4461-9AFB-22E69D76E3EB}: DhcpNameServer = 184.151.118.254 70.28.245.227
O17 - HKLM\System\CS2\Services\Tcpip\..\{8F3D9B1D-1939-4A6B-A129-F2DD1CC3AE64}: DhcpDomain = no.shawcable.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 64.59.160.15 64.59.161.69
~ Domain: Scanned in 00mn AMs



---\\ Extra protocols (O18)
O18 - Handler: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} . (.Microsoft Corporation - Microsoft (R) HTML Viewer.) -- C:\Windows\System32\mshtml.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} . (.Microsoft Corporation - Microsoft Office XML MIME Filter.) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.dll
~ Protocole Additionnel: Scanned in 00mn AMs



---\\ AppInit_DLLs Registry value Autorun (O20)
O20 - Winlogon Notify: igfxcui . (.Intel Corporation - igfxdev Module.) -- C:\Windows\System32\igfxdev.dll
~ Winlogon: Scanned in 00mn AMs



---\\ Task Planned Automatically(039)
[MD5.00000000000000000000000000000000] [APT] [Run RoboForm TaskBar Icon] (...) -- C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (.not file.) [0]
[MD5.00000000000000000000000000000000] [APT] [{B2B54856-A4C8-4098-ACA4-0F799B6ABB50}] (...) -- D:\\setup.exe (.not file.) [0]
~ Scheduled Task: 11 Legitimates Filtered in 02mn AMs



---\\ Drivers launched at startup (O41)
O41 - Driver: (ebqbvwhz) . (. - .) - C:\Windows\system32\drivers\ebqbvwhz.sys (.not file.)
~ Drivers: 65 Legitimates Filtered in 00mn AMs



---\\ HKCU & HKLM Software Keys
[HKCU\Software\AppDataLow\Software\ConduitSearchScopes]
[HKCU\Software\AppDataLow\Software\Smartbar] =>Hijacker.SmartBar
[HKCU\Software\AppDataLow\Toolbar]
[HKCU\Software\YahooPartnerToolbar] =>Toolbar.Yahoo
~ Key Software: 96 Legitimates Filtered in 00mn AMs



---\\ Contents of the Common Files folders (O43)
O43 - CFD: 10/21/2012 - 8:24:34 AM - [0] ----D C:\Users\Laura\AppData\Roaming\Xique
~ Program Folder: 116 Legitimates Filtered in 01mn AMs



---\\ Last modified or created files under Windows and System32 (O44)
O44 - LFC:[MD5.727E2D71ADC4BCDE5998A068BA720BC9] - 7/11/2013 - 4:20:55 AM ---A- . (...) -- C:\Windows\win.ini [534]
O44 - LFC:[MD5.90A2A9AF50C56B3F4115EBFE89431B60] - 7/22/2013 - 5:45:32 PM ---A- . (...) -- C:\Windows\ntbtlog.txt [561792]
~ Files: 33 Legitimates Filtered in 02mn AMs



---\\ Microsoft Windows Policies System (MWPS) (O55)
O55 - MWPS:[HKLM\...\Policies\System] - "EnableUIADesktopToggle"=0
O55 - MWPS:[HKLM\...\Policies\System] - "FilterAdministratorToken"=0
~ MWPS: 16 Legitimates Filtered in 00mn AMs



---\\ System Drivers List (SDL) (O58)
O58 - SDL:[MD5.21E785EBD7DC90A06391141AAC7892FB] - 7/13/2009 - 5:26:15 PM ---A- . (.Adaptec, Inc. - Adaptec Windows SAS/SATA Storport Driver.) -- C:\Windows\System32\Drivers\adp94xx.sys [422976]
O58 - SDL:[MD5.8AAD333C876590293F72B315E162BCC7] - 7/13/2009 - 1:40:41 PM ---A- . (...) -- C:\Windows\System32\ANSI.SYS [9029]
~ Drivers: Scanned in 00mn AMs



---\\ List all tools cleaner (LATC) (O63)
O63 - Logiciel: ZHPDiag 2013 - (.Nicolas Coolman.) [HKLM] -- ZHPDiag_is1
~ ADS: Scanned in 00mn AMs



---\\ File Associations Shell Spawning (O67)
O67 - Shell Spawning: <.html> <ChromeHTML>[HKCU\..\open\Command] (.Not Key.)
~ FASS Keys: 19 Legitimates Filtered in 00mn AMs



---\\ Start Menu Internet (SMI) (O68)
O68 - StartMenuInternet: <FIREFOX.EXE> <Mozilla Firefox>[HKLM\..\Shell\open\Command] (.Mozilla Corporation - Firefox.) -- C:\Program Files\Mozilla Firefox\firefox.exe
O68 - StartMenuInternet: <Google Chrome> <Google Chrome>[HKLM\..\Shell\open\Command] (.Google Inc. - Google Chrome.) -- C:\Program Files\Google\Chrome\Application\chrome.exe
O68 - StartMenuInternet: <IEXPLORE.EXE> <Internet Explorer>[HKLM\..\Shell\open\Command] (.Microsoft Corporation - Internet Explorer.) -- C:\Program Files\Internet Explorer\iexplore.exe
~ Keys: Scanned in 00mn AMs



---\\ Search Browser Infection (SBI) (O69)
O69 - SBI: C:\Users\Laura\AppData\Roaming\Mozilla\Firefox\Profiles\nx8cg407.default\searchplugins\askcom.xml
O69 - SBI: prefs.js [Laura - nx8cg407.default] user_pref("CT3220468.SearchFromAddressBarUrl", "http://search.conduit.com/ResultsExt.aspx?ctid=CT3220468&SearchSource=2&q=");
O69 - SBI: prefs.js [Laura - nx8cg407.default] user_pref("CT3220468.lastNewTabSettings", "{\"isEnabled\":true,\"newTabUrl\":\"http://search.conduit.com/?ctid=CT3220468&octid=CT3[...]
O69 - SBI: prefs.js [Laura - nx8cg407.default] user_pref("CT3220468.navigationAliasesJson", "{\"EB_MAIN_FRAME_URL\":\"http%3A%2F%2Fsearch.conduit.com%2F%3Fctid%3DCT3220468%26Sea[...]
O69 - SBI: prefs.js [Laura - nx8cg407.default] user_pref("CT3220468.originalSearchAddressUrl", "http://search.conduit.com/ResultsExt.aspx?ctid=CT3220468&SearchSource=2&CUI=UN294[...]
O69 - SBI: prefs.js [Laura - nx8cg407.default] user_pref("Smartbar.ConduitHomepagesList", "http://search.conduit.com/?ctid=CT3220468&SearchSource=13"); =>Hijacker.SmartBar
O69 - SBI: prefs.js [Laura - nx8cg407.default] user_pref("Smartbar.ConduitSearchEngineList", ""); =>Hijacker.SmartBar
O69 - SBI: prefs.js [Laura - nx8cg407.default] user_pref("Smartbar.ConduitSearchUrlList", ""); =>Hijacker.SmartBar
O69 - SBI: prefs.js [Laura - nx8cg407.default] user_pref("browser.startup.homepage", "http://search.conduit.com/?ctid=CT3220468&SearchSource=13");
O69 - SBI: prefs.js [Laura - nx8cg407.default] user_pref("keyword.URL", "http://search.conduit.com/ResultsExt.aspx?octid=CT3220468&ctid=CT3220468&SearchSource=2&CUI=UN2947226688[...]
O69 - SBI: prefs.js [Laura - nx8cg407.default] user_pref("smartbar.conduitSearchAddressUrlList", "http://search.conduit.com/ResultsExt.aspx?ctid=CT3220468&SearchSource=2&q=,http[...] =>Hijacker.SmartBar
O69 - SBI: prefs.js [Laura - nx8cg407.default] user_pref("smartbar.originalSearchAddressUrl", "http://search.conduit.com/ResultsExt.aspx?ctid=CT3220468&SearchSource=2&q="); =>Hijacker.SmartBar
O69 - SBI: SearchScopes [HKCU] {0633EE93-D776-472f-A0FF-E1416B8B2E3A} - (Bing) - http://www.bing.com
O69 - SBI: SearchScopes [HKCU] {2B86313A-FCBF-41D6-B94E-BF8B1B6A1635} - (Ask Search) - http://websearch.ask.com
O69 - SBI: SearchScopes [HKCU] {2D1D0243-99D5-43F6-A444-227524CF3EDB} - (uTorrentControl_v2 Customized Web Search) - http://search.conduit.com =>P2P.µTorrent
O69 - SBI: SearchScopes [HKCU] {6A1806CD-94D4-4689-BA73-E35EA1EA9990} - (Google) - http://www.google.com
O69 - SBI: SearchScopes [HKCU] {A5E7C5CE-C02F-4FF5-8B6C-9178160EA9F8} [DefaultScope] - (Google) - http://www.google.com
~ Keys: Scanned in 00mn AMs



---\\ Search Particular Root Folder (SPRF) (O84)
[MD5.37249E0DB6B61F2609C9F6B761D41FE2] [SPRF][6/11/2011] (.Adobe Systems, Inc. - Adobe® Flash® Player Installer/Uninstaller 10.3 r181.) -- C:\Windows\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe [3120288]
~ Files: Scanned in 02mn AMs



---\\ MyComputer Name Space (O92)
O92 - MNS: Photo Stream - {F0D63F85-37EC-4097-B30D-61B4A8917118}
~ MNS: 2 Legitimates Filtered in 00mn AMs



---\\ General States of Services not Microsoft (EGS) (SR=Running, SS=Stopped)
SR - | Auto 5/9/2013 65640 | (AdobeARMservice) . (.Adobe Systems Incorporated.) - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
SS - | Demand 6/12/2013 256904 | (AdobeFlashPlayerUpdateSvc) . (.Adobe Systems Incorporated.) - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
SR - | Auto 8/11/2012 55184 | (Apple Mobile Device) . (.Apple Inc..) - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
SR - | Auto 8/30/2011 390504 | (Bonjour Service) . (.Apple Inc..) - C:\Program Files\Bonjour\mDNSResponder.exe
SS - | Auto 7/17/2013 116648 | (gupdate) . (.Google Inc..) - C:\Program Files\Google\Update\GoogleUpdate.exe
SS - | Demand 7/17/2013 116648 | (gupdatem) . (.Google Inc..) - C:\Program Files\Google\Update\GoogleUpdate.exe
SR - | Demand 7/13/2009 20992 | C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll (hpqcxs08) . (.Hewlett-Packard Co..) - C:\Windows\System32\svchost.exe
SR - | Auto 7/13/2009 20992 | C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll (hpqddsvc) . (.Hewlett-Packard Co..) - C:\Windows\System32\svchost.exe
SR - | Auto 7/13/2009 20992 | C:\Program Files\HP\Digital Imaging\bin\HPSLPSVC32.dll (HPSLPSVC) . (.Hewlett-Packard Co..) - C:\Windows\System32\svchost.exe
SR - | Demand 12/12/2012 553440 | (iPod Service) . (.Apple Inc..) - C:\Program Files\iPod\bin\iPodService.exe
SR - | Auto 4/4/2013 418376 | (MBAMScheduler) . (.Malwarebytes Corporation.) - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
SR - | Auto 4/4/2013 701512 | (MBAMService) . (.Malwarebytes Corporation.) - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
SS - | Demand 7/8/2013 117144 | (MozillaMaintenance) . (.Mozilla Foundation.) - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
SS - | Auto 7/13/2009 20992 | C:\Windows\system32\HPZinw12.dll (Net Driver HPZ12) . (.Hewlett-Packard.) - C:\Windows\System32\svchost.exe
SS - | Auto 7/13/2009 20992 | C:\Windows\system32\HPZipm12.dll (Pml Driver HPZ12) . (.Hewlett-Packard.) - C:\Windows\System32\svchost.exe
SS - | Demand 7/13/2009 20992 | C:\Program Files\Windows Defender\mpsvc.dll (WinDefend) . (.Microsoft Corporation.) - C:\Windows\System32\svchost.exe
SR - | Auto 7/13/2009 20992 | C:\Windows\System32\wuaueng.dll (wuauserv) . (.Microsoft Corporation.) - C:\Windows\System32\svchost.exe
~ Services: Scanned in 04mn AMs



---\\ Additionnal Scan (O88)
Database Version : v2.12804 - (7/22/2013)
Clés trouvées (Keys found) : 4
Valeurs trouvées (Values found) : 1
Dossiers trouvés (Folders found) : 3
Fichiers trouvés (Files found) : 3

[HKLM\Software\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}] =>Adware.iWinArcade
[HKCU\Software\AppDataLow\Software\ConduitSearchScopes] =>Toolbar.Conduit
[HKCU\Software\AppDataLow\Toolbar] =>Toolbar.Conduit
[HKLM\Software\Classes\Toolbar.CT3220468] =>Toolbar.Conduit
[HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]:{D4027C7F-154A-4066-A1AD-4243D8127440} =>Toolbar.Avira
C:\Users\Laura\AppData\Local\Conduit =>Toolbar.Conduit
C:\Users\Laura\AppData\LocalLow\Conduit =>Toolbar.Conduit
C:\Users\Laura\AppData\Roaming\Mozilla\Firefox\Profiles\nx8cg407.default\Smartbar =>Hijacker.SmartBar
C:\Users\Laura\AppData\Roaming\Mozilla\Firefox\Profiles\nx8cg407.default\SearchPlugins\conduit.xml =>Toolbar.Conduit
[HKCU\Software\AppDataLow\Software\Smartbar] =>Hijacker.SmartBar^
[HKCU\Software\YahooPartnerToolbar] =>Toolbar.Yahoo^
~ Additionnel Scan: 227010 Items scanned in 33mn AMs



---\\ Malicius Software Information
~ http://nicolascoolman.webs.com/apps/blog/show/26990375-hijacker-smartbar =>Hijacker.SmartBar
~ http://nicolascoolman.webs.com/apps/blog/show/30268689-toolbar-yahoo =>Toolbar.Yahoo
~ http://nicolascoolman.webs.com/apps/blog/show/28766471-adware-iwinarcade =>Adware.iWinArcade
~ http://nicolascoolman.webs.com/apps/blog/show/29507721-toolbar-conduit =>Toolbar.Conduit
~ MSI: 4 link(s) detected in 33mn AMs



~ 643 Legitimates filtered by white list
End of the scan (454 lines in 40mn AMs)(0)
0
Answer 13 / 19
hemstuck
Jul 23, 2013 at 08:56 AM
Thought Id better post this for you there are some questionable issues there????
What do you think?????
0
Answer 14 / 19
hemstuck
Jul 23, 2013 at 09:14 AM
So there is a fix it ZHPfixit ICON On my desk top do I use it or is it fake???
Can't trust things at this point!!!!

Essentials is still running a full scan 9 hours and 35mins and counting
0
Answer 15 / 19
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,169
Jul 23, 2013 at 06:17 PM
Laura, Laura, Laura,

If you read again my initial message ZHPFix is only to be used under guidance from an expert. It will fix things but only with specific instructions and inputs.

II was just about to go for supper. Never mind the Essentials scan, it's probably corrupted. I will analyse your log in the morning, and yes, there some questions.

Catch you later.
0
Answer 16 / 19
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,169
Jul 24, 2013 at 05:43 AM
Laura,

As I suspected your computer still has viruses in the form of hyjackers. Your computer got infected through UTorrent.

Please follow these instructions:

1. Delete UTorrent

2. Click on ZHP Fix to open it, copy the lines below and then click on the clipboard button on the top left. Then click on the Go button at the bottom.

Here are the lines:

[HKCU\Software\AppDataLow\Software\Smartbar] =>Hijacker.SmartBar
O69 - SBI: prefs.js [Laura - nx8cg407.default] user_pref("Smartbar.ConduitHomepagesList", "http://search.conduit.com/?ctid=CT3220468&SearchSource=13"); =>Hijacker.SmartBar
O69 - SBI: prefs.js [Laura - nx8cg407.default] user_pref("Smartbar.ConduitSearchEngineList", ""); =>Hijacker.SmartBar
O69 - SBI: prefs.js [Laura - nx8cg407.default] user_pref("Smartbar.ConduitSearchUrlList", ""); =>Hijacker.SmartBar
O69 - SBI: prefs.js [Laura - nx8cg407.default] user_pref("smartbar.conduitSearchAddressUrlList", "https://www.bing.com/search?q=%2Chttp&pc=cosp&ptag=G6C999A6015BF3824&form=CONADR&conlogo=CT3210127[...] =>Hijacker.SmartBar
O69 - SBI: prefs.js [Laura - nx8cg407.default] user_pref("smartbar.originalSearchAddressUrl", "http://search.conduit.com/ResultsExt.aspx?ctid=CT3220468&SearchSource=2&q="); =>Hijacker.SmartBar
[HKLM\Software\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}] =>Adware.iWinArcade
C:\Users\Laura\AppData\Roaming\Mozilla\Firefox\Profiles\nx8cg407.default\Smartbar =>Hijacker.SmartBar
[HKCU\Software\AppDataLow\Software\Smartbar] =>Hijacker.SmartBar^

3. Close ZHP Fix

4. Download the following Adwcleaner created by Xplode

https://ccm.net/downloads/security-and-maintenance/6911-adwcleaner/

Launch it (for Windows 7 and 8, click right to run as administrator)
Click on delete
Post the log C:\Adwcleaner[Sx].txt on this thread.
0
Answer 17 / 19
hemstuck
Jul 24, 2013 at 09:59 AM
AdwCleaner v2.300 - Logfile created 07/24/2013 at 06:57:45
# Updated 28/04/2013 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (32 bits)
# User : Laura - LAURA-PC
# Boot Mode : Normal
# Running from : C:\Users\Laura\Downloads\AdwCleaner-2.300.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\Users\Laura\AppData\Roaming\Mozilla\Firefox\Profiles\nx8cg407.default\searchplugins\Askcom.xml
File Found : C:\Users\Laura\AppData\Roaming\Mozilla\Firefox\Profiles\nx8cg407.default\searchplugins\Conduit.xml
Folder Found : C:\Program Files\Conduit
Folder Found : C:\Users\Laura\AppData\Local\Conduit
Folder Found : C:\Users\Laura\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda
Folder Found : C:\Users\Laura\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda
Folder Found : C:\Users\Laura\AppData\LocalLow\Conduit
Folder Found : C:\Users\Laura\AppData\Roaming\Mozilla\Firefox\Profiles\nx8cg407.default\CT3220468
Folder Found : C:\Users\Laura\AppData\Roaming\Mozilla\Firefox\Profiles\nx8cg407.default\extensions\{7473b6bd-4691-4744-a82b-7854eb3d70b6}

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\Conduit
Key Found : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda
Key Found : HKCU\Software\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3220468
Key Found : HKLM\Software\Conduit
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16635

[OK] Registry is clean.

-\\ Mozilla Firefox v22.0 (en-US)

File : C:\Users\Laura\AppData\Roaming\Mozilla\Firefox\Profiles\nx8cg407.default\prefs.js

Found : user_pref("CT3220468.BT_Stats.enc", "eyJsYXN0X2xvZyI6MTM1ODczMDg0MiwidXVpZCI6MjI3NTUxMjUxNTkxMzk0LCJ[...]
Found : user_pref("CT3220468.BT_Usage.enc", "eyJ1dWlkIjoyMjc1NTEyNTE1OTEzOTQsInNlcV9pZCI6MX0=");
Found : user_pref("CT3220468.CBOpenMAMSettings.enc", "MA==");
Found : user_pref("CT3220468.ENABALE_HISTORY", "{\"dataType\":\"string\",\"data\":\"true\"}");
Found : user_pref("CT3220468.ENABLE_RETURN_WEB_SEARCH_ON_THE_PAGE", "{\"dataType\":\"string\",\"data\":\"tru[...]
Found : user_pref("CT3220468.FirstTime", "true");
Found : user_pref("CT3220468.FirstTimeFF3", "true");
Found : user_pref("CT3220468.LoginRevertSettingsEnabled", true);
Found : user_pref("CT3220468.PG_ENABLE", "dHJ1ZQ==");
Found : user_pref("CT3220468.PG_ENABLE.enc", "ZEhKMVpRPT0=");
Found : user_pref("CT3220468.RevertSettingsEnabled", true);
Found : user_pref("CT3220468.SF_JUST_INSTALLED.enc", "RkFMU0U=");
Found : user_pref("CT3220468.SF_STATUS.enc", "RU5BQkxFRA==");
Found : user_pref("CT3220468.SF_USER_ID.enc", "Y2lkXzE1NDIwMTM4MjM0Njc3MTEyNDI=");
Found : user_pref("CT3220468.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT322[...]
Found : user_pref("CT3220468.UserID", "UN29472266885994154");
Found : user_pref("CT3220468.addressBarTakeOverEnabledInHidden", "true");
Found : user_pref("CT3220468.autoDisableScopes", -1);
Found : user_pref("CT3220468.browser.search.defaultthis.engineName", true);
Found : user_pref("CT3220468.cb_experience_000.enc", "Mw==");
Found : user_pref("CT3220468.cb_firstuse0100.enc", "MQ==");
Found : user_pref("CT3220468.cb_user_id_000.enc", "Q0I2NTgyNTg4MzM4NTNfMTM2NTQzMzExNzAwNV9GaXJlZm94");
Found : user_pref("CT3220468.cbcountry_001.enc", "Q0E=");
Found : user_pref("CT3220468.cbfirsttime.enc", "TW9uIE9jdCAyMiAyMDEyIDA3OjU2OjAzIEdNVC0wNzAwIChQYWNpZmljIERh[...]
Found : user_pref("CT3220468.countryCode", "CA");
Found : user_pref("CT3220468.embeddedsData", "[{\"appId\":\"129813684258939747\",\"apiPermissions\":{\"cross[...]
Found : user_pref("CT3220468.enableAlerts", "always");
Found : user_pref("CT3220468.enableFix404ByUser", "FALSE");
Found : user_pref("CT3220468.enableSearchFromAddressBar", "true");
Found : user_pref("CT3220468.firstTimeDialogOpened", "true");
Found : user_pref("CT3220468.fixPageNotFoundError", "true");
Found : user_pref("CT3220468.fixPageNotFoundErrorByUser", "true");
Found : user_pref("CT3220468.fixPageNotFoundErrorInHidden", "true");
Found : user_pref("CT3220468.fixUrls", true);
Found : user_pref("CT3220468.fullUserID", "UN29472266885994154.UP.20130717190505");
Found : user_pref("CT3220468.hxxp___toolbar_utorrent_com.APP_WIN_FEATURES.enc", "cmVzaXphYmxlPTAsc2F2ZXJlc2l[...]
Found : user_pref("CT3220468.installId", "fft6A3.tmp.exe");
Found : user_pref("CT3220468.installType", "XPE");
Found : user_pref("CT3220468.isCheckedStartAsHidden", true);
Found : user_pref("CT3220468.isEnableAllDialogs", "{\"dataType\":\"string\",\"data\":\"true\"}");
Found : user_pref("CT3220468.isFirstTimeToolbarLoading", "false");
Found : user_pref("CT3220468.isNewTabEnabled", true);
Found : user_pref("CT3220468.isPerformedSmartBarTransition", "true");
Found : user_pref("CT3220468.isToolbarShrinked", "{\"dataType\":\"string\",\"data\":\"false\"}");
Found : user_pref("CT3220468.isWelcomPage", "{\"dataType\":\"boolean\",\"data\":\"true\"}");
Found : user_pref("CT3220468.keyword", true);
Found : user_pref("CT3220468.lastNewTabSettings", "{\"isEnabled\":true,\"newTabUrl\":\"hxxp://search.conduit[...]
Found : user_pref("CT3220468.lastVersion", "10.16.4.519");
Found : user_pref("CT3220468.mam_gk_appStateReportTime.enc", "MTM3NDU5MjM4MDUxMA==");
Found : user_pref("CT3220468.mam_gk_appState_CouponBuddy.enc", "b24=");
Found : user_pref("CT3220468.mam_gk_appState_PriceGong.enc", "b24=");
Found : user_pref("CT3220468.mam_gk_appsData.enc", "eyJhcHBzIjpbeyJpZCI6IlByaWNlR29uZyIsInVybCI6Imh0dHA6Ly9w[...]
Found : user_pref("CT3220468.mam_gk_appsDefaultEnabled.enc", "bnVsbA==");
Found : user_pref("CT3220468.mam_gk_calledSetupService.enc", "MQ==");
Found : user_pref("CT3220468.mam_gk_configuration.enc", "eyJjb25maWd1cmF0aW9uIjpbeyJpZCI6IkVhc3l0b2Jvb2tfdGF[...]
Found : user_pref("CT3220468.mam_gk_currentVersion.enc", "MS45LjAuNA==");
Found : user_pref("CT3220468.mam_gk_existingUsersRecoveryDone.enc", "MQ==");
Found : user_pref("CT3220468.mam_gk_first_time.enc", "MQ==");
Found : user_pref("CT3220468.mam_gk_lastLoginTime.enc", "MTM3NDU5MjM4MDc0Ng==");
Found : user_pref("CT3220468.mam_gk_localization.enc", "eyJnYWRnZXRDb250ZW50UG9saWN5Ijp7IlRleHQiOiJDb250ZW50[...]
Found : user_pref("CT3220468.mam_gk_mamEnabled.enc", "dHJ1ZQ==");
Found : user_pref("CT3220468.mam_gk_pgUnloadedOnce.enc", "dHJ1ZQ==");
Found : user_pref("CT3220468.mam_gk_settings1.4.3.1.enc", "eyJTdGF0dXMiOiJzdWNjZWVkZWQiLCJEYXRhIjp7ImludGVyd[...]
Found : user_pref("CT3220468.mam_gk_settings1.4.3.2.enc", "eyJTdGF0dXMiOiJzdWNjZWVkZWQiLCJEYXRhIjp7ImludGVyd[...]
Found : user_pref("CT3220468.mam_gk_settings1.4.4.6.enc", "eyJTdGF0dXMiOiJzdWNjZWVkZWQiLCJEYXRhIjp7ImludGVyd[...]
Found : user_pref("CT3220468.mam_gk_settings1.6.0.1.enc", "eyJTdGF0dXMiOiJzdWNjZWVkZWQiLCJEYXRhIjp7ImludGVyd[...]
Found : user_pref("CT3220468.mam_gk_settings1.8.0.4.enc", "eyJTdGF0dXMiOiJzdWNjZWVkZWQiLCJEYXRhIjp7ImludGVyd[...]
Found : user_pref("CT3220468.mam_gk_settings1.9.0.4.enc", "eyJTdGF0dXMiOiJzdWNjZWVkZWQiLCJEYXRhIjp7ImludGVyd[...]
Found : user_pref("CT3220468.mam_gk_showCloseButton.enc", "dHJ1ZQ==");
Found : user_pref("CT3220468.mam_gk_showWelcomeGadget.enc", "ZmFsc2U=");
Found : user_pref("CT3220468.mam_gk_userId.enc", "YTc4ZWRlNjUtNjJhZS00YTRlLWFhYjctYWUwNWVlOTgwMmQy");
Found : user_pref("CT3220468.mam_gk_user_apps_selection.enc", "");
Found : user_pref("CT3220468.migrateAppsAndComponents", true);
Found : user_pref("CT3220468.navigationAliasesJson", "{\"EB_MAIN_FRAME_URL\":\"\",\"EB_MAIN_FRAME_TITLE\":\"[...]
Found : user_pref("CT3220468.openThankYouPage", "true");
Found : user_pref("CT3220468.openUninstallPage", "FALSE");
Found : user_pref("CT3220468.originalSearchAddressUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT32[...]
Found : user_pref("CT3220468.price-gong.isManagedApp", "true");
Found : user_pref("CT3220468.search.searchAppId", "129813684258939747");
Found : user_pref("CT3220468.search.searchCount", "2");
Found : user_pref("CT3220468.searchInNewTabEnabledByUser", "true");
Found : user_pref("CT3220468.searchInNewTabEnabledInHidden", "true");
Found : user_pref("CT3220468.searchProtector.notifyChanges", "{\"dataType\":\"string\",\"data\":\"true\"}");
Found : user_pref("CT3220468.searchSuggestEnabledByUser", "true");
Found : user_pref("CT3220468.selectToSearchBoxEnabled", "{\"dataType\":\"string\",\"data\":\"true\"}");
Found : user_pref("CT3220468.serviceLayer_service_login_isFirstLoginInvoked", "{\"dataType\":\"boolean\",\"d[...]
Found : user_pref("CT3220468.serviceLayer_service_login_loginCount", "{\"dataType\":\"number\",\"data\":\"4\[...]
Found : user_pref("CT3220468.serviceLayer_service_toolbarGrouping_activeCTID", "{\"dataType\":\"string\",\"d[...]
Found : user_pref("CT3220468.serviceLayer_service_toolbarGrouping_activeDownloadUrl", "{\"dataType\":\"strin[...]
Found : user_pref("CT3220468.serviceLayer_service_toolbarGrouping_activeToolbarName", "{\"dataType\":\"strin[...]
Found : user_pref("CT3220468.serviceLayer_service_toolbarGrouping_invoked", "{\"dataType\":\"string\",\"data[...]
Found : user_pref("CT3220468.serviceLayer_service_usage_toolbarUsageCount", "{\"dataType\":\"number\",\"data[...]
Found : user_pref("CT3220468.serviceLayer_services_Configuration_lastUpdate", "1374592496452");
Found : user_pref("CT3220468.serviceLayer_services_appTrackingFirstTime_lastUpdate", "1374504076127");
Found : user_pref("CT3220468.serviceLayer_services_appsMetadata_lastUpdate", "1374592496685");
Found : user_pref("CT3220468.serviceLayer_services_gottenAppsContextMenu_lastUpdate", "1374507335347");
Found : user_pref("CT3220468.serviceLayer_services_location_lastUpdate", "1373907290905");
Found : user_pref("CT3220468.serviceLayer_services_login_10.10.27.6_lastUpdate", "1353340135354");
Found : user_pref("CT3220468.serviceLayer_services_login_10.13.40.15_lastUpdate", "1359161541102");
Found : user_pref("CT3220468.serviceLayer_services_login_10.14.370.524_lastUpdate", "1364827822856");
Found : user_pref("CT3220468.serviceLayer_services_login_10.14.40.128_lastUpdate", "1359996482241");
Found : user_pref("CT3220468.serviceLayer_services_login_10.14.42.7_lastUpdate", "1361202383469");
Found : user_pref("CT3220468.serviceLayer_services_login_10.14.65.43_lastUpdate", "1363618570043");
Found : user_pref("CT3220468.serviceLayer_services_login_10.15.0.562_lastUpdate", "1369253809253");
Found : user_pref("CT3220468.serviceLayer_services_login_10.16.2.509_lastUpdate", "1373907291301");
Found : user_pref("CT3220468.serviceLayer_services_login_10.16.4.519_lastUpdate", "1374592496477");
Found : user_pref("CT3220468.serviceLayer_services_otherAppsContextMenu_lastUpdate", "1374507335574");
Found : user_pref("CT3220468.serviceLayer_services_searchAPI_lastUpdate", "1374592496586");
Found : user_pref("CT3220468.serviceLayer_services_serviceMap_lastUpdate", "1374592495817");
Found : user_pref("CT3220468.serviceLayer_services_setupAPI_lastUpdate", "1363618562981");
Found : user_pref("CT3220468.serviceLayer_services_toolbarContextMenu_lastUpdate", "1374507335278");
Found : user_pref("CT3220468.serviceLayer_services_toolbarSettings_lastUpdate", "1374599697211");
Found : user_pref("CT3220468.serviceLayer_services_translation_lastUpdate", "1374504076228");
Found : user_pref("CT3220468.settingsINI", true);
Found : user_pref("CT3220468.shouldFirstTimeDialog", "false");
Found : user_pref("CT3220468.showToolbarPermission", "false");
Found : user_pref("CT3220468.smartbar.CTID", "CT3220468");
Found : user_pref("CT3220468.smartbar.Uninstall", "0");
Found : user_pref("CT3220468.smartbar.homepage", true);
Found : user_pref("CT3220468.smartbar.toolbarName", "uTorrentControl_v2 ");
Found : user_pref("CT3220468.toolbarBornServerTime", "22-10-2012");
Found : user_pref("CT3220468.toolbarCurrentServerTime", "23-7-2013");
Found : user_pref("CT3220468.toolbarLoginClientTime", "Mon Mar 18 2013 08:46:05 GMT-0700 (Pacific Daylight T[...]
Found : user_pref("CT3220468.upgradeFromClearSBVersion", true);
Found : user_pref("CT3220468.url_history0001.enc", "aHR0cDovL3d3dy5wb3JuaHViLmNvbS92aWRlbz9jPTE1Ojo6Y2xpY2to[...]
Found : user_pref("CT3220468_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\"[...]
Found : /*user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3220468&SearchSource[...]
Found : /*user_pref("Smartbar.ConduitSearchEngineList", "");*/
Found : /*user_pref("Smartbar.ConduitSearchUrlList", "");*/
Found : user_pref("Smartbar.keywordURLSelectedCTID", "CT3220468");
Found : user_pref("browser.search.defaultengine", "Ask.com");
Found : user_pref("browser.search.defaultenginename", "Ask.com");
Found : user_pref("browser.search.order.1", "Ask.com");
Found : user_pref("browser.startup.homepage", "hxxp://search.conduit.com/?ctid=CT3220468&SearchSource=13");
Found : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?octid=CT3220468&ctid=CT3220468&S[...]
Found : user_pref("smartBar.searchInNewTabOwner", "CT3220468");
Found : user_pref("smartbar.addressBarOwnerCTID", "CT3220468");
Found : /*user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=[...]
Found : user_pref("smartbar.machineId", "IFZKG+IBLGRA2X0MLLRV/XVB/PU1JOVIBDSVQR7KXIU7FIIGXJWXTOA/KEBNMWMZNNC[...]
Found : /*user_pref("smartbar.originalSearchAddressUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3[...]

-\\ Google Chrome v28.0.1500.72

File : C:\Users\Laura\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [14678 octets] - [24/07/2013 06:35:26]
AdwCleaner[R2].txt - [14382 octets] - [24/07/2013 06:57:45]
AdwCleaner[S1].txt - [322 octets] - [24/07/2013 06:35:57]
0
Answer 18 / 19
hemstuck
Jul 26, 2013 at 08:37 AM
Heres the scan after it deleted
Thanx to all again you guys are legends.

# AdwCleaner v2.300 - Logfile created 07/26/2013 at 05:34:09
# Updated 28/04/2013 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (32 bits)
# User : Laura - LAURA-PC
# Boot Mode : Normal
# Running from : C:\Users\Laura\Downloads\AdwCleaner-2.300 (2).exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16635

[OK] Registry is clean.

-\\ Mozilla Firefox v22.0 (en-US)

File : C:\Users\Laura\AppData\Roaming\Mozilla\Firefox\Profiles\nx8cg407.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v28.0.1500.72

File : C:\Users\Laura\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [14678 octets] - [24/07/2013 06:35:26]
AdwCleaner[R2].txt - [14572 octets] - [24/07/2013 06:57:45]
AdwCleaner[R3].txt - [14529 octets] - [26/07/2013 05:21:47]
AdwCleaner[R4].txt - [1000 octets] - [26/07/2013 05:34:09]
AdwCleaner[S1].txt - [322 octets] - [24/07/2013 06:35:57]
AdwCleaner[S2].txt - [14737 octets] - [26/07/2013 05:22:19]

########## EOF - C:\AdwCleaner[R4].txt - [1180 octets] ##########
0
Answer 19 / 19
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,169
Jul 26, 2013 at 04:54 PM
Good ! You have just deleted the rest of the malware that I knew would cause you more problems in the near future. You system should now be breathing better and be more efficient.

I most recommend now that your delete:

1. Adwcleaner
2. ZHP Diag and
3. Malwarebyte as it may come in conflict with other antivirus software.

Download CCleaner from Kioskea's download section. Install it and run it once a week for both useless files and to clean your registry.

Be careful out there on the web.
0

Similar discussions

how to get rid of trojan virus
ziggy7 -
speedy -

74 responses
Using attrib -h -r -s /s /d g:\*.* I could not wipe the attributes of my externa
jwtingley -
ac3mark -

1 response
removing virus with out formating
vijju -
Ambucias -

5 responses
attrib -h -r -s /s /d g:\*.*
Ruggzboi -
Ambucias -

1 response