:sad:

Please Help: Thank You in advance, Trickey

Oscardelta.Toolbar: [SBI $FC70D376] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-329068152-1644491937-839522115-1004\Software\Conduit\FF\smartbar.machineId
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
_______________________________________________________________
Oscardelta.Toolbar: [SBI $FC70D376] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-329068152-1644491937-839522115-1004\Software\Conduit\FF\smartbar.machineId
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---


System: Windows XP Home 2002
Service Pack 3


Comes back every time, every scan, never really fixes, and tea timer is running.




DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 7.0.6000.21359 BrowserJavaVersion: 10.45.2
Run by Bob at 15:50:33 on 2013-11-26
Microsoft Windows XP Home Edition

5.1.2600.3.1252.1.1033.18.2813.1752 [GMT -5:00]
.
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Disabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Western Digital\WD SmartWare\WDRulesEngine.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.wafj.com/
uURLSearchHooks: SearchHook Class: {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - c:\program files\devicevm\browser configuration utility\AddressBarSearch.dll
uURLSearchHooks: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} -
BHO: Avira SearchFree Toolbar: {41564952-412D-5637-00A7-7A786E7484D7} -
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} -
BHO: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} -
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} -
TB: ZoneAlarm Security Toolbar: {91DA5E8A-3318-4F8C-B67E-5964DE3AB546} -
TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} -
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} -
TB: Avira SearchFree Toolbar: {41564952-412D-5637-00A7-7A786E7484D7} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [deskPDF Creator] "c:\program files\docudesk\deskpdf creator\deskPDFCreator.exe" -minimize
uRun: [DesktopCal] c:\program files\desktopcal\desktopcal.exe
uRun: [OutlookOnDesktop] c:\program files\outlook on the desktop\OutlookDesktop.exe
uRun: [Rainlendar2] c:\program files\rainlendar2\Rainlendar2.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_9_900_117_Plugin.exe -update plugin
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [BCU] "c:\program files\devicevm\browser configuration utility\BCU.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [EasyTuneVI] c:\program files\gigabyte\et6\ETcall.exe
mRun: [USRpdA] <no file>
StartupFolder: c:\docume~1\bob\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\bob\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\wdquic~1.lnk - c:\program files\western digital\wd smartware\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:177
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\avira\antivir desktop\avsda.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_45-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0045-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_45-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_45-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 75.76.84.102 75.76.84.103 192.168.0.1
TCP: Interfaces\{BCC0671D-63C1-400D-AC50-358785E1E156} : DHCPNameServer = 75.76.84.102 75.76.84.103 192.168.0.1
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\bob\application data\mozilla\firefox\profiles\wkcyz349.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
FF - plugin: c:\documents and settings\bob\application data\mozilla\firefox\profiles\wkcyz349.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\plugins\np-mswmp.dll
FF - plugin: c:\documents and settings\bob\application data\mozilla\firefox\profiles\wkcyz349.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\plugins\npConduitFirefoxPlugin.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_117.dll
FF - ExtSQL: !HIDDEN! 2010-11-10 13:33; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 tdrpman251;Acronis Try&Decide and Restore Points filter (build 251);c:\windows\system32\drivers\tdrpm251.sys [2010-11-5 902432]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2013-10-14 37352]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2013-10-14 440376]
R2 AntiVirService;Avira Real-Time Protection;c:\program files\avira\antivir desktop\avguard.exe [2013-10-14 440376]
R2 AntiVirWebService;Avira Web Protection;c:\program files\avira\antivir desktop\avwebgrd.exe [2013-10-14 1164360]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2013-10-14 90400]
R2 BCUService;Browser Configuration Utility Service;c:\program files\devicevm\browser configuration utility\BCUService.exe [2010-11-10 219360]
R2 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2010-11-10 68136]
R2 HPFECP11;HPFECP11;c:\windows\system32\drivers\HPFecp11.sys [1999-5-3 52800]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [2010-11-10 22016]
R2 WDRulesService;WDRulesService;c:\program files\western digital\wd smartware\WDRulesEngine.exe [2011-8-1 1091984]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2010-11-5 152704]
R3 AODDriver;AODDriver;c:\program files\gigabyte\et6\i386\AODDriver.sys [2009-2-23 7168]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [2011-10-26 100368]
R3 pmxscan;Memorex USB Kernel;c:\windows\system32\drivers\usbscan.sys [2012-1-13 14976]
S2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2010-11-5 2326912]
S2 APNMCP;Ask Update Service;c:\program files\askpartnernetwork\toolbar\apnmcp.exe [2013-10-23 166352]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 WDDMService;WDDMService;c:\program files\western digital\wd smartware\WDDMService.exe [2011-8-1 263056]
S2 WDFMEService;WDFMEService;c:\program files\western digital\wd smartware\WDFME.exe [2011-8-1 1592208]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-11-10 1691480]
S3 etdrv;etdrv;c:\windows\etdrv.sys [2010-11-11 17488]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2006-2-28 14336]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [2010-11-10 29440]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2010-11-10 17536]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2011-10-6 11520]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-2-28 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
SUnknown GVTDrv;GVTDrv; [x]
.
=============== File Associations ===============
.
ShellExec: QuickPDF v3.0.exe: Open=c:\program files\quickpdfconverter\QuickPdfToWord.exe "%1"
.
=============== Created Last 30 ================
.
2013-11-14 19:49:07 -------- d-----w- C:\ab9f2a67826c603b974d803c
.
==================== Find3M ====================
.
2013-11-26 12:54:56 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2013-11-26 12:54:41 17488 ----a-w- c:\windows\gdrv.sys
2013-11-19 13:21:07 90400 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-11-19 13:21:07 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2013-10-13 08:16:43 841216 ----a-w- c:\windows\system32\wininet.dll
2013-10-13 08:16:41 1830912 ------w- c:\windows\system32\inetcpl.cpl
2013-10-13 08:16:40 78336 ----a-w- c:\windows\system32\ieencode.dll
2013-10-13 08:16:39 17408 ----a-w- c:\windows\system32\corpol.dll
2013-10-12 15:56:19 278528 ----a-w- c:\windows\system32\oakley.dll
2013-10-09 15:07:26 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-09 15:07:26 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-10-09 15:07:22 17813896 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2013-10-09 13:12:48 287744 ----a-w- c:\windows\system32\gdi32.dll
2013-10-08 11:50:41 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-10-08 11:29:36 145408 ----a-w- c:\windows\system32\javacpl.cpl
2013-10-07 10:59:21 603136 ----a-w- c:\windows\system32\crypt32.dll
2013-10-05 01:14:01 7168 ----a-w- c:\windows\system32\xpsp4res.dll
2013-09-04 13:47:50 991232 ----a-w- c:\windows\system32\ieframe.dll.mui
2013-08-29 01:31:44 1878656 ----a-w- c:\windows\system32\win32k.sys
2013-08-29 00:56:06 26240 ----a-w- c:\windows\system32\drivers\usbser.sys
.
============= FINISH: 15:51:15.60 ===============


ASWMBR:
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-11-26 16:38:49
-----------------------------
16:38:49.921 OS Version: Windows 5.1.2600 Service Pack 3
16:38:49.921 Number of processors: 2 586 0x603
16:38:49.921 ComputerName: RKD UserName: Bob
16:38:59.890 Initialize success
16:39:23.609 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:39:23.609 Disk 0 Vendor: WDC_WD10EACS-32D6B1 01.01A01 Size: 953869MB BusType: 3
16:39:24.390 Disk 0 MBR read successfully
16:39:24.390 Disk 0 MBR scan
16:39:24.390 Disk 0 Windows XP default MBR code
16:39:24.437 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238496 MB offset 63
16:39:24.453 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 47998 MB offset 488440260
16:39:24.515 Disk 0 scanning sectors +586741995
16:39:25.484 Disk 0 scanning C:\WINDOWS\system32\drivers
16:40:30.125 Service scanning
16:40:44.859 Modules scanning
16:41:07.171 Disk 0 trace - called modules:
16:41:07.187 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
16:41:07.187 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a8d8ab8]
16:41:07.187 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000065[0x8a8c2f18]
16:41:07.203 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a8de940]
16:41:07.203 Scan finished successfully
16:41:20.578 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Bob\Desktop\MBR.dat"
16:41:20.593 The log file has been saved successfully to "C:\Documents and Settings\Bob\Desktop\aswMBR.txt"

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post the appropriate logs in the Malware Removal forum and wait for help.

Hi, my apologies for the delay and welcome to Safer Networking. :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:


I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine!
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Refrain from running self fixes as this will hinder the malware removal process.
It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

Click on Start >> Run...(or the Windows key and R together) to bring up the Run box and copy and paste in:

"C:\Program Files\ERUNT\ERUNT.EXE" %SystemRoot%\ERDNT\SN-Backup
and click on OK.

Temp' Disable TeaTimer:

This is so it will not hinder the malware removal process, you may re-enable when I give the all clear.

How to do so can be read here (http://forums.spybot.info/showpost.php?p=1150&postcount=2), scroll down to:-


When Spybot-S&D version 1.6.2 is installed

TeaTimer needs to be disabled so that its protection does not interfere with fixes.

Scan with AdwCleaner:

Please download adwcleaner from here (http://www.bleepingcomputer.com/download/adwcleaner/) and save to your desktop.

Alternate downloads are here (http://www.softpedia.com/get/Antivirus/Removal-Tools/AdwCleaner.shtml) or here (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner).


Double-click on adwcleaner.exe to launch the application.
Now click on the Scan tab >> once the scan is complete click on the Report tab.
You will then be presented with the report. Copy & Paste this report into your next reply.
Close AdwCleaner and do not have it fix/remove anything at this time.

Note: The log can also be located at C: >> AdwCleaner >> AdwCleaner[R0].txt

Due to the lack of feedback this Topic is closed.

If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh set of DDS logs and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.