Hi.
I deleted all the files except conduit engine which was not there.
OK.
when I tried to copy and paste the OLT.txt file into this post it would never finish
Not a problem. It appears the host file is compromised with over 433,281 entries! Which accounts for the size of the OTL log, anyway we should be able to deal with the aforementioned in due course.
Yes, I do use AOL from time to time.
Fair play, only reason I asked was because you have some Veiwpoint related software installed and usually this is a consequence of running AOL related software. Technically such is not malware but does have some undesirable characteristics. Now we may be able to recify this dire side of anything AOL related but we can come back to this next time once we have dealt with the major issues OK.
Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.
Click on Start >> Run...(or the Windows key and R together) to bring up the Run box and and copy and paste in:
"C:\Program Files\ERUNT\ERUNT.EXE" %SystemRoot%\ERDNT\OTL-backup
and click on OK.
FixPolicies:
Please download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from here.
- Double-click FixPolicies.exe.
- Click the "Install" button on the bottom toolbar of the box that will open.
- The program will create a new Folder called FixPolicies.
- Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
- A black box should briefly appear and then close.
- Leave FixPolicies on your desktop please until I otherwise advise, thank you.
Custom OTL Script:
- Double-click OTL.exe to start the program.
- Copy the lines from the quote-box(do not copy the wrod quote) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
:OTL
SRV - (Automatic LiveUpdate Scheduler) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (6to4) -- File not found
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr8/*http://www.yahoo.com/ext/search/search.html
IE - HKU\S-1-5-21-1679272264-1782906089-84492715-1009\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\S-1-5-21-1679272264-1782906089-84492715-1009\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKU\S-1-5-21-1679272264-1782906089-84492715-1009\..\URLSearchHook: - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-1679272264-1782906089-84492715-1009\..\URLSearchHook: {2b2505fa-fd68-0144-9128-cd617bdca8c2} - C:\Program Files\SocialRibbons LP2\Helper.dll ()
IE - HKU\S-1-5-21-1679272264-1782906089-84492715-1009\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-21-1679272264-1782906089-84492715-1009\..\URLSearchHook: {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-1679272264-1782906089-84492715-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = http://localhost;*.local
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
O2 - BHO: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O2 - BHO: (SocialRibbons LP2) - {AE92E5DE-20F7-9934-D515-7BE13880A842} - C:\Program Files\SocialRibbons LP2\Toolbar.dll ()
O2 - BHO: (DCA BHO) - {B49699FC-1665-4414-A1CB-C4A2A4A13EEC} - C:\Program Files\Common Files\FreeCause\DCA\dca-bho.dll (Compete, Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - File not found
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - File not found
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-1679272264-1782906089-84492715-1009\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1679272264-1782906089-84492715-1009\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-1679272264-1782906089-84492715-1009\..\Toolbar\WebBrowser: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found.
O3 - HKU\S-1-5-21-1679272264-1782906089-84492715-1009\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O4 - HKU\S-1-5-21-1679272264-1782906089-84492715-1009..\Run: [updateMgr] File not found
O15 - HKU\S-1-5-21-1679272264-1782906089-84492715-1009\..Trusted Domains: ([]msn in My Computer)
O15 - HKU\S-1-5-21-1679272264-1782906089-84492715-1009\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} Reg Error: Value error. (BrowseFolderPopup Class)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} Reg Error: Value error. (Reg Error: Value error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} http://install.wildtangent.com/cda/islandrally/ActiveLauncher/CDA_AL.cab (Reg Error: Key error.)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} Reg Error: Value error. (DwnldGroupMgr Class)
O16 - DPF: DirectAnimation Java Classes Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java Reg Error: Value error. (Reg Error: Key error.)
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
[2011/08/02 09:28:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Amy Toth\Application Data\PriceGong
[2011/07/23 13:49:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Amy Toth\Application Data\FCTB000100291
[2011/07/23 13:49:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Amy Toth\Start Menu\Programs\SocialRibbons LP2
[2011/07/23 13:49:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\FreeCause
[2011/07/23 13:49:03 | 000,000,000 | ---D | C] -- C:\Program Files\SocialRibbons LP2
[2011/07/23 13:48:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Amy Toth\Local Settings\Application Data\Conduit
[2 C:\Documents and Settings\Amy Toth\My Documents\*.tmp files -> C:\Documents and Settings\Amy Toth\My Documents\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2011/07/28 14:09:09 | 000,000,206 | ---- | M] () -- C:\WINDOWS\System32\bbdecfabcf_g.dll
[2011/07/28 14:09:09 | 000,000,206 | ---- | M] () -- C:\WINDOWS\System32\abacaddec5_g.ocx
[2009/01/23 00:28:10 | 000,000,000 | ---D | M](C:\Documents and Settings\Amy Toth\Application Data\???????sAppData) -- C:\Documents and Settings\Amy Toth\Application Data\???????sAppData
[2009/01/23 00:28:10 | 000,000,000 | ---D | M](C:\Documents and Settings\Amy Toth\Application Data\???????sAppData) -- C:\Documents and Settings\Amy Toth\Application Data\???????sAppData
(C:\Documents and Settings\Amy Toth\Application Data\???????sAppData) -- C:\Documents and Settings\Amy Toth\Application Data\???????sAppData
@Alternate Data Stream - 24 bytes -> C:\WINDOWS:0F6BF406092276E8
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:411E1BE2
:Files
ipconfig /flushdns /c
%systemroot%\prefetch\*.*
C:\Program Files\Ares
C:\Program Files\SocialRibbons LP2
c:\windows\system32\qoMdAQkj
c:\windows\system32\zabunego.dll
C:\Program Files\Common Files\FreeCause
:Reg
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP"=-
"445:TCP"=-
"137:UDP"=-
"138:UDP"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP"=-
"445:TCP"=-
"137:UDP"=-
"138:UDP"=-
"1900:UDP"=-
"2869:TCP"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Ares\Ares.exe"=-
:Commands
[Purity]
[ResetHosts]
[EmptyFlash]
[EmptyTemp]
[CreateRestorePoint]
[Reboot]
- Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
- Then click the red Run Fix button.
- Let the program run unhindered.
- If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
Note: The logfile can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.
Malwarebytes Anti-Malware:
- Launch the application, Check for Updates >> Perform quick scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When completed, a log will open in Notepad. please copy and paste the log into your next reply.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
When completed the above, please post back the following in the order asked for:
- How is your computer performing now, any further symptoms and or problems encountered?
- OTL Log from the Custom Script.
- Malwarebytes Anti-Malware Log.