PDA

View Full Version : yet another win32 downloder....



Bicycle Rider
2014-02-07, 17:53
Hi

Yeah, I got that notice that Spybot couldn't remove it because it was running. So I tried having Spybot scan upon start-up and it still didn't work, nor would running Spybot as administrator. Any other suggestions? Please use plain English, as I am no 'Zero Cool'.

Juliet
2014-02-07, 19:06
Instruction for producing the DDS and aswMBR logs


DDS Log

Download to your desktop DDS from one of the links below:

Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://download.bleepingcomputer.com/sUBs/dds.com)


Double click the tool to run it.
If a black Screen opens, just read the contents and do nothing.
When the tool finishes, it will open 2 reports, DDS.txt and attach.txt
Copy/Paste the contents of 'DDS.txt' and the attach.txt into your post. Please do not use code wrap.





aswMBR Log

Important! Please do not perform any fix options offered in aswMBR

Please download aswMBR (http://public.avast.com/%7Egmerek/aswMBR.exe) to your desktop.



Double click the aswMBR icon to run it.
Click the Scan button to start scan.
If you are asked to update the Avast Virus database please allow it to do so.
When it finishes, press the Save Log button, save the logfile to your desktop and post its contents in your reply with the DDS logs.




If the infection prevents you from obtaining logs please start a topic and make note of the situation, provide details of the computer's current symptoms and wait for a response.
Do not post other logs or use "code wrap" unless requested in that format. :)


---------------------------------------------------------------------------------------------

Bicycle Rider
2014-02-09, 00:56
OK, here are the two .txt pages (I don't know which is which, but you did say post both).
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 5/8/2012 2:21:34 AM
System Uptime: 2/8/2014 5:48:04 PM (0 hours ago)
.
Motherboard: ASUSTeK COMPUTER INC. | | F1A55-M LE R2.0
Processor: AMD A6-3650 APU with Radeon(tm) HD Graphics | FM1 | 2600/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 931 GiB total, 867.289 GiB free.
D: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP67: 11/14/2013 3:22:55 PM - Windows Update
RP68: 11/14/2013 3:27:03 PM - Windows Update
RP69: 11/18/2013 10:29:34 PM - Windows Update
RP70: 11/18/2013 10:49:33 PM - Windows Update
RP71: 11/23/2013 5:44:34 PM - Windows Update
RP72: 11/25/2013 11:44:15 AM - Windows Update
RP73: 12/4/2013 3:15:32 PM - Windows Update
RP74: 12/7/2013 9:12:59 PM - Windows Update
RP75: 12/7/2013 9:42:03 PM - Windows Update
RP76: 12/13/2013 5:26:40 PM - Windows Update
RP77: 12/13/2013 6:02:46 PM - Windows Update
RP78: 12/15/2013 2:26:20 PM - Windows Update
RP79: 12/20/2013 9:40:11 AM - Windows Update
RP80: 12/24/2013 10:06:28 AM - Windows Update
RP81: 1/1/2014 9:51:51 AM - Installed DeLorme Topo North America 10.0.
RP82: 1/1/2014 10:38:09 AM - Removed DeLorme Topo USA 8.0.
RP83: 1/7/2014 11:22:09 AM - Windows Update
RP84: 1/14/2014 3:27:55 PM - Windows Update
RP85: 1/21/2014 8:28:25 PM - Windows Update
RP86: 1/21/2014 8:37:36 PM - Windows Update
RP87: 1/27/2014 9:35:10 AM - Windows Update
RP88: 2/5/2014 9:43:18 AM - Windows Update
.
==== Installed Programs ======================
.
64 Bit HP CIO Components Installer
Adobe Acrobat 4.0
Adobe ActiveShare 1.2
Adobe Flash Player 12 ActiveX
Adobe Reader XI (11.0.06)
Advertising Center
AMD APP SDK Runtime
AMD Catalyst Install Manager
AMD Fuel
AMD VISION Engine Control Center
BufferChm
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
Catalyst Control Center Profiles Mobile
ccc-utility64
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner
D4100
D4100_Help
DeLorme Topo North America 10.0
DeviceDiscovery
DolbyFiles
Eudora
GPBaseService2
HP Customer Participation Program 13.0
HP Deskjet & Photosmart Printer Driver Software 13.0 Rel. A
HP Imaging Device Functions 13.0
HP Photosmart Essential 3.5
HP Smart Web Printing 4.51
HP Solution Center 13.0
HP Update
HPDiagnosticAlert
HPPhotoGadget
HPPhotoSmartDiscLabelContent1
HPPhotosmartEssential
HPProductAssistant
HPSSupply
ImagXpress
Java 7 Update 21
Java 7 Update 21 (64-bit)
Java Auto Updater
K-Lite Codec Pack 9.6.5 (64-bit)
K-Lite Codec Pack 9.6.5 (Full)
Kazoo Player
KeyBar 1.8 Toolbar
LibreOffice 4.0 Help Pack (English)
LibreOffice 4.0.2.2
Malwarebytes Anti-Malware version 1.75.0.1300
MarketResearch
Menu Templates - Starter Kit
Microsoft .NET Framework 4 Client Profile
Microsoft Office 2000 Premium
Microsoft Security Client
Microsoft Security Essentials
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
Movie Templates - Starter Kit
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 9 Essentials
Nero BurnRights
Nero BurnRights Help
Nero ControlCenter
Nero CoverDesigner
Nero CoverDesigner Help
Nero DiscSpeed
Nero DiscSpeed Help
Nero DriveSpeed
Nero DriveSpeed Help
Nero Express Help
Nero InfoTool
Nero InfoTool Help
Nero Installer
Nero Online Upgrade
Nero ShowTime
Nero StartSmart
Nero StartSmart Help
Nero StartSmart OEM
Nero Vision
Nero Vision Help
NeroExpress
neroxml
Photo Story 3 for Windows
Picasa 3
PL-2303 USB-to-Serial
Ralink Wireless LAN
Realtek Ethernet Controller Driver
Realtek High Definition Audio Driver
Search Protect by conduit
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)
SF_CDA_ProductContext
SF_CDA_Software
Shop for HP Supplies
SmartWebPrinting
SolutionCenter
Spybot - Search & Destroy
Status
SUPERAntiSpyware
Toolbox
TrayApp
UnloadSupport
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3)
WebReg
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
2/5/2014 9:30:57 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 109.107.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?LinkID=260974&clcid=0x409&NRI=true&arch=x64&eng=2.1.10003.0&sig=109.107.0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: Network Inspection System Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 2.1.10003.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
2/5/2014 9:30:57 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.165.2713.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.10201.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
2/5/2014 9:30:57 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.165.2713.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=1.1.10201.0&avdelta=1.165.2713.0&asdelta=1.165.2713.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.10201.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
2/5/2014 9:30:57 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.165.2713.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=1.1.10201.0&avdelta=1.165.2713.0&asdelta=1.165.2713.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.10201.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
2/5/2014 12:03:53 PM, Error: Service Control Manager [7000] - The Search Protect by Conduit Updater service failed to start due to the following error: The system cannot find the file specified.
2/5/2014 10:18:59 AM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
2/5/2014 10:18:59 AM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-1073473535.
2/1/2014 6:30:01 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.165.2713.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.10201.0 Error code: 0x80240022 Error description: The program can't check for definition updates.
2/1/2014 6:30:01 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.165.2713.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.10201.0 Error code: 0x80240022 Error description: The program can't check for definition updates.
2/1/2014 6:21:24 PM, Error: NetBT [4321] - The name "CHRIS-PC :0" could not be registered on the interface with IP address 192.168.0.104. The computer with the IP address 192.168.0.102 did not allow the name to be claimed by this computer.
2/1/2014 6:21:23 PM, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{9ABBAC66-B5E1-4C58-BE9B-DCE4C3FFF2E4} because another computer on the network has the same name. The server could not start.
2/1/2014 6:21:23 PM, Error: NetBT [4321] - The name "CHRIS-PC :20" could not be registered on the interface with IP address 192.168.0.104. The computer with the IP address 192.168.0.102 did not allow the name to be claimed by this computer.
.
==== End Of File ===========================




DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.16428 BrowserJavaVersion: 10.21.2
Run by chris at 17:52:02 on 2014-02-08
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.7633.5821 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\SysWOW64\Rundll32.exe
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://portal.truvista.net/zmail/?account=5xxlzs9FoNSY2pDzBjWlx8QbrA40DGB2adaepeWUp0QxeCleKkN0K2mDFuKi7kLHoKXPPXTpAicDshBQoLopit%2BuBrQiElmc34Ob6HBUgQ8k3C7UkiQROUYfNmDQm4YdFZCcGSqUlmGUTtaluhVIrWe8TKpeEUcnLnp71Y0U4Ko%3D&zmuser=bicyclerider&autologin=true
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: KeyBar 1.8 Toolbar: {9ed31f84-c8b3-4926-b950-dff74047ff79} - C:\Program Files (x86)\KeyBar_1.8\prxtbKeyB.dll
uURLSearchHooks: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
mURLSearchHooks: KeyBar 1.8 Toolbar: {9ed31f84-c8b3-4926-b950-dff74047ff79} - C:\Program Files (x86)\KeyBar_1.8\prxtbKeyB.dll
mWinlogon: Userinit = userinit.exe,
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: KeyBar 1.8 Toolbar: {9ed31f84-c8b3-4926-b950-dff74047ff79} - C:\Program Files (x86)\KeyBar_1.8\prxtbKeyB.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: KeyBar 1.8 Toolbar: {9ED31F84-C8B3-4926-B950-DFF74047FF79} - C:\Program Files (x86)\KeyBar_1.8\prxtbKeyB.dll
TB: KeyBar 1.8 Toolbar: {9ed31f84-c8b3-4926-b950-dff74047ff79} - C:\Program Files (x86)\KeyBar_1.8\prxtbKeyB.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [BackgroundContainer] "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\chris\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [OtShot] C:\Program Files (x86)\OtShot\otshot.exe -minimize
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SYMANT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office\1033\OLFSNT40.EXE
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr/200
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{46746935-033A-4264-8F76-E4937AEDAD6D} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{9ABBAC66-B5E1-4C58-BE9B-DCE4C3FFF2E4} : DHCPNameServer = 192.168.0.1
SSODL: WebCheck - <orphaned>
x64-BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
.
INFO: x64-HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-SSODL: WebCheck - <orphaned>
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-9-27 248240]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-5-8 204288]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-7-28 361984]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2013-1-20 134944]
R3 amdiox64;AMD IO Driver;C:\Windows\System32\drivers\amdiox64.sys [2012-5-8 46136]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-10-23 348376]
R3 rt61x64;RT61 Extensible Wireless Driver;C:\Windows\System32\drivers\netr6164.sys [2010-4-7 446304]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-5-8 726160]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2013-12-13 111616]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-5-8 19456]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-5-8 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-5-8 30208]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-5-8 1255736]
S4 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-11 140672]
.
=============== Created Last 30 ================
.
2014-02-05 14:43:27 10315576 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D48E94CF-AF6D-44EB-A666-FBD9EEFC43ED}\mpengine.dll
2014-01-27 14:35:18 10315576 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-01-23 15:58:11 965000 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{84402274-0421-42AA-A15B-664E3C63BF0D}\gapaengine.dll
2014-01-22 01:23:45 53248 ----a-w- C:\Windows\System32\drivers\usbehci.sys
2014-01-22 01:23:44 99840 ----a-w- C:\Windows\System32\drivers\usbccgp.sys
2014-01-22 01:23:44 7808 ----a-w- C:\Windows\System32\drivers\usbd.sys
2014-01-22 01:23:44 343040 ----a-w- C:\Windows\System32\drivers\usbhub.sys
2014-01-22 01:23:44 325120 ----a-w- C:\Windows\System32\drivers\usbport.sys
2014-01-22 01:23:44 30720 ----a-w- C:\Windows\System32\drivers\usbuhci.sys
2014-01-22 01:23:44 25600 ----a-w- C:\Windows\System32\drivers\usbohci.sys
2014-01-22 01:23:40 3156480 ----a-w- C:\Windows\System32\win32k.sys
2014-01-22 01:23:39 376768 ----a-w- C:\Windows\System32\drivers\netio.sys
.
==================== Find3M ====================
.
2014-02-08 22:50:32 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-02-08 22:50:32 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-01-19 07:33:29 270496 ------w- C:\Windows\System32\MpSigStub.exe
2014-01-06 19:23:36 4558848 ----a-w- C:\Windows\SysWow64\GPhotos.scr
2013-11-26 10:19:07 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2013-11-26 10:18:23 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2013-11-26 09:48:07 66048 ----a-w- C:\Windows\System32\iesetup.dll
2013-11-26 09:46:25 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2013-11-26 09:23:02 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-11-26 09:18:39 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2013-11-26 09:18:09 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2013-11-26 09:16:57 708608 ----a-w- C:\Windows\System32\jscript9diag.dll
2013-11-26 08:35:02 5769216 ----a-w- C:\Windows\System32\jscript9.dll
2013-11-26 08:28:16 553472 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2013-11-26 08:16:12 4243968 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-11-26 08:02:16 1995264 ----a-w- C:\Windows\System32\inetcpl.cpl
2013-11-26 07:32:06 1928192 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2013-11-26 07:07:57 2334208 ----a-w- C:\Windows\System32\wininet.dll
2013-11-26 06:33:33 1820160 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-11-23 18:26:20 417792 ----a-w- C:\Windows\SysWow64\WMPhoto.dll
2013-11-23 17:47:34 465920 ----a-w- C:\Windows\System32\WMPhoto.dll
2013-11-12 02:23:09 2048 ----a-w- C:\Windows\System32\tzres.dll
2013-11-12 02:07:29 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
1998-12-09 02:53:54 99840 ----a-w- C:\Program Files (x86)\Common Files\IRAABOUT.DLL
1998-12-09 02:53:54 70144 ----a-w- C:\Program Files (x86)\Common Files\IRAMDMTR.DLL
1998-12-09 02:53:54 48640 ----a-w- C:\Program Files (x86)\Common Files\IRALPTTR.DLL
1998-12-09 02:53:54 31744 ----a-w- C:\Program Files (x86)\Common Files\IRAWEBTR.DLL
1998-12-09 02:53:54 186368 ----a-w- C:\Program Files (x86)\Common Files\IRAREG.DLL
1998-12-09 02:53:54 17920 ----a-w- C:\Program Files (x86)\Common Files\IRASRIAL.DLL
.
============= FINISH: 17:52:27.18 ===============

Juliet
2014-02-09, 01:14
-AdwCleaner-by Xplode

Click on this link to download : ADWCleaner (http://www.bleepingcomputer.com/download/adwcleaner/)
Click on ONE of the Two Blue Download Now buttons That have a blue arrow beside them and save it to your desktop.

Do not click on any links in the top Advertisment.




Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Scan.
After the scan is complete click on "Clean"
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

http://imageshack.us/a/img841/7292/thisisujrt.gif
Please download Junkware Removal Tool (http://www.bleepingcomputer.com/download/junkware-removal-tool/) to your desktop.
Shut down your protection software now to avoid potential conflicts. Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator". The tool will open and start scanning your system. Please be patient as this can take a while to complete depending on your system's specifications. On completion, a log (JRT.txt) is saved to your desktop and will automatically open. Post the contents of JRT.txt into your next message.

When finished please post these logs.

Bicycle Rider
2014-02-09, 02:13
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2014-02-08 17:58:09
-----------------------------
17:58:09.127 OS Version: Windows x64 6.1.7601 Service Pack 1
17:58:09.127 Number of processors: 4 586 0x100
17:58:09.127 ComputerName: CHRIS-PC UserName: chris
17:58:11.218 Initialize success
18:14:26.713 AVAST engine defs: 14020800
18:16:55.256 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
18:16:55.256 Disk 0 Vendor: ST1000DM003-9YN162 CC4H Size: 953869MB BusType: 3
18:16:55.334 Disk 0 MBR read successfully
18:16:55.334 Disk 0 MBR scan
18:16:55.350 Disk 0 Windows 7 default MBR code
18:16:55.350 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
18:16:55.397 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 953767 MB offset 206848
18:16:55.459 Disk 0 scanning C:\Windows\system32\drivers
18:17:06.878 Service scanning
18:17:27.205 Modules scanning
18:17:27.205 Disk 0 trace - called modules:
18:17:27.221 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
18:17:27.221 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007779060]
18:17:27.221 3 CLASSPNP.SYS[fffff8800194843f] -> nt!IofCallDriver -> [0xfffffa8006febd10]
18:17:27.221 5 ACPI.sys[fffff88000e0b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80074c3060]
18:17:28.843 AVAST engine scan C:\
19:04:47.518 Scan finished successfully
19:11:12.776 Disk 0 MBR has been saved successfully to "C:\Users\chris\Documents\MBR.dat"
19:11:12.823 The log file has been saved successfully to "C:\Users\chris\Documents\aswMBR.txt"


Thanks much. Has it been removed or is there more I have to do?

Bicycle Rider
2014-02-09, 02:31
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.1 (02.04.2014:1)
OS: Windows 7 Home Premium x64
Ran by chris on Sat 02/08/2014 at 19:23:10.73
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\otshot
Suspicious HKCU\..\Run entries found. Trojan:JS/Medfos.B?

Value Name Type Value Data
========================================================================================
BackgroundContainer REG_SZ "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\chris\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun




~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\surfcanyon.dll
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\installedbrowserextensions
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\surf canyon
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\conduit
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\conduitsearchscopes
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\pricegong
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\smartbar
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\toolbar
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduit
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\installiq
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\searchprotect
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\solid savings
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\surf canyon
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\surfcanyon.bhosite
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\surfcanyon.bhosite.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\searchprotect
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\surf canyon
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT3286042
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110211621178}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5542F331-FA98-468B-8E96-1A2651935DD4}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5AB7104A-B71F-49AD-9154-F7F8806AE848}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ed31f84-c8b3-4926-b950-dff74047ff79}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{9ed31f84-c8b3-4926-b950-dff74047ff79}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Users\chris\appdata\local\conduit"
Successfully deleted: [Folder] "C:\Users\chris\appdata\locallow\conduit"
Successfully deleted: [Folder] "C:\Users\chris\appdata\locallow\pricegong"
Successfully deleted: [Folder] "C:\Users\chris\appdata\locallow\surfcanyon"
Successfully deleted: [Folder] "C:\Program Files (x86)\conduit"
Successfully deleted: [Folder] "C:\Program Files (x86)\searchprotect"
Failed to delete: [Folder] "C:\Program Files (x86)\surf canyon"



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 02/08/2014 at 19:29:01.41
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Bicycle Rider
2014-02-09, 02:43
This was already open on my desktop upon restart. I'm Ass-U-Me-ing this is the report you want.

# AdwCleaner v3.018 - Report created 08/02/2014 at 19:39:22
# Updated 28/01/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : chris - CHRIS-PC
# Running from : C:\Users\chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I3Y6QHJA\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files (x86)\Surf Canyon
Folder Deleted : C:\Program Files (x86)\KeyBar_1.8
Folder Deleted : C:\Users\chris\AppData\LocalLow\KeyBar_1.8

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{A3514F71-E63F-440B-8076-14226E21B2BF}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5AB7104A-B71F-49AD-9154-F7F8806AE848}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{8B78662B-577F-4D86-82C1-3752D2A160E4}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{68AD96A1-2A28-4841-ABD0-F5AA45F008C9}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{BA3105E9-5DE6-4A1E-A819-6F5046AB67F5}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5AB7104A-B71F-49AD-9154-F7F8806AE848}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8B78662B-577F-4D86-82C1-3752D2A160E4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5AB7104A-B71F-49AD-9154-F7F8806AE848}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8B78662B-577F-4D86-82C1-3752D2A160E4}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8B78662B-577F-4D86-82C1-3752D2A160E4}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C52904F6-D6B4-43FA-8912-3054F9716204}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AF042712-1244-4523-A026-6D5809822BA9}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{9ED31F84-C8B3-4926-B950-DFF74047FF79}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{9ED31F84-C8B3-4926-B950-DFF74047FF79}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{9ED31F84-C8B3-4926-B950-DFF74047FF79}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{9ED31F84-C8B3-4926-B950-DFF74047FF79}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{68AD96A1-2A28-4841-ABD0-F5AA45F008C9}
Key Deleted : HKCU\Software\AppDataLow\Software\Surf Canyon
Key Deleted : HKCU\Software\AppDataLow\Software\KeyBar_1.8
Key Deleted : HKLM\Software\KeyBar_1.8
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KeyBar_1.8 Toolbar

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16428


*************************

AdwCleaner[R0].txt - [3632 octets] - [08/02/2014 19:32:14]
AdwCleaner[S0].txt - [3392 octets] - [08/02/2014 19:39:22]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3452 octets] ##########

Bicycle Rider
2014-02-09, 03:04
Now I'm getting two pop-ups upon startup. Both say the same thing:

RUN DLL

c:\users\chris\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll

Could not be found.

Or words to that effect (the file name is correct).

Juliet
2014-02-09, 03:10
Now I'm getting two pop-ups upon startup. Both say the same thing:

RUN DLL

c:\users\chris\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll

Could not be found.

Or words to that effect (the file name is correct).

yes, thats from the infection. Probably means only partly removed at this point.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

the logs from the next scanner will be long, just make multiple post as needed.

Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it to your Desktop.

(use correct version for your system.....Which system am I using? (http://support.microsoft.com/kb/827218))


Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
Press Scan button.
It will produce a log called FRST.txt in the same directory the tool is run from.
Please copy and paste log back here.
The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

Bicycle Rider
2014-02-09, 04:02
It gave me powercleaner again, and something called smart cleaner. Both scan, then tell me I have to buy their product to fix the problems they 'found'. I am very suspicious of 'free' programs that do this. Just how bad is this Win32 downloader (assuming it's still in my system) anyway?

Bicycle Rider
2014-02-09, 04:16
I HAVE ALL SORTS OF UNWANTED PROGRAMS ON MY DESKTOP, PROGRAMS TRYING TO START AND GET ME TO BUY SHIT AND MY BROWSER HOMEPAGE HAS BEE CHANGED! WHAT KIND OF SCAM ARE YOU RUNNING HERE?! :mad:

THANKS FOR NOTHING, EXCUSE ME WHILE I TRY AND CLEAN UP THE MESS YOU CREATED!

Bicycle Rider
2014-02-09, 05:27
And I cannot update my Spybot program any more either! Seems it can no longer contact the updater. Very slick, corrupting your own product; but if you think I intend to waste my money buying another program you have another think coming. I have uninstalled S&D and will be looking for another anti-spyware program.

Juliet
2014-02-09, 12:46
It gave me powercleaner again, and something called smart cleaner. Both scan, then tell me I have to buy their product to fix the problems they 'found'. I am very suspicious of 'free' programs that do this. Just how bad is this Win32 downloader (assuming it's still in my system) anyway?

Settle down.

Nothing I posted for you to download and clean this machine will ask you to buy a thing. We are Malware Removers trying to help those who became infected off the internet. The infection you have is causing this problem, not me. From this point on use respectful language and manners. I do want to mention that I will not allow verbal abuse from someone I am trying help.....got it????

If you were unable to download and use the last tool requested (Farbar Recovery Scan Tool ), let's see if we can continue.

If after you download the next tool and it will not run forever what reason, try to go into safe mode and run it from there.


Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 6 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
rkill.pif (http://download.bleepingcomputer.com/grinler/rkill.pif)
WiNlOgOn.exe (http://download.bleepingcomputer.com/grinler/WiNlOgOn.exe)
uSeRiNiT.exe (http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe)



**********************
Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Download ComboFix from here:
Link 1 (http://www.bleepingcomputer.com/download/combofix/)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

Place ComboFix.exe on your Desktop <--Important

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
You can get help on disabling your protection programs here (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html)
Double click on ComboFix.exe & follow the prompts.
You may be asked to install or update the Recovery Console (http://en.wikipedia.org/wiki/Recovery_Console) (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)
Your desktop may go blank. This is normal. It will return when ComboFix is done. Combofix may need to reboot your computer more than once to do its job this is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.
---------------------------------------------------------------------------------------------
If there are Internet issues after running ComboFix:
Internet Explorer:
Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". Also clear any proxy address and port. ok, apply (only if applicable), ok.
Firefox:
Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.
Chrome:
Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.
Safari
Launch Safari
Go to general settings menu
Then in Preferences/ Advanced
Then on line click Proxies change settings ...
Click Internet Options, then click the Connections tab, click Network Settings.
Disable option (uncheck) for the use of proxy server ...

Juliet
2014-02-11, 18:55
Due to the lack of feedback this Topic is closed.