WiredWX Hobby Weather ToolsLog in

 


Adware Dealply infection

2 posters

descriptionAdware Dealply infection EmptyAdware Dealply infection

more_horiz
Help please I have tried everything to get rid of this infection. Malwarebytes, eset online scanner, norton power eraser and my symantec endpoint keeps finding it Here is the mesage from our antivirus program
Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: Adware.DealPly
File: C:\Documents and Settings\rlenihan\Local Settings\Temporary Internet Files\Content.IE5\1NEDWOOZ\opt_content[1].js
Location: Quarantine
Computer: RICKL-PC
User: rlenihan
Action taken: Quarantine succeeded : Access denied
Date found: Wednesday, May 01, 2013 10:42:50 AM

descriptionAdware Dealply infection EmptyRe: Adware Dealply infection

more_horiz
Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*******************************************************
Please download AdwCleaner by Xplode onto your Desktop.

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

********************************************************
Please download Junkware Removal Tool to your desktop.

Warning! Once the scan is complete JRT will shut down your browser with NO warning.

Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

•The tool will open and start scanning your system.

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.
*************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

descriptionAdware Dealply infection EmptyRe: Adware Dealply infection

more_horiz
# AdwCleaner v2.300 - Logfile

created 05/01/2013 at 15:27:53
# Updated 28/04/2013 by Xplode
# Operating system : Microsoft

Windows XP Service Pack 3 (32 bits)
# User : rlenihan - RICKL-PC
# Boot Mode : Normal
# Running from : C:\Documents and

Settings\rlenihan\Desktop\new

programs\adwarecleaner\adwcleaner.ex

e
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found :

C:\DOCUME~1\jsullivan\LOCALS~1\Temp\

boost_interprocess
Folder Found : C:\Documents and

Settings\rlenihan\Application

Data\PriceGong
Folder Found : C:\Documents and

Settings\rlenihan\Local

Settings\Application Data\Conduit
Folder Found : C:\Documents and

Settings\rlenihan\Local

Settings\Application

Data\Google\Chrome\User

Data\Default\Extensions\cgpimkfhjdao

bobdomcikioipaenlhke
Folder Found : C:\Documents and

Settings\rlenihan\Local

Settings\Application

Data\Google\Chrome\User

Data\Default\Extensions\cgpimkfhjdao

bobdomcikioipaenlhke
Folder Found : C:\Documents and

Settings\rlenihan\Local

Settings\Application

Data\PackageAware
Folder Found : C:\Program

Files\Conduit

***** [Registry] *****

Key Found : HKCU\Software\Conduit
Key Found :

HKCU\Software\ConduitSearchScopes
Key Found :

HKCU\Software\Google\Chrome\Extensio

ns\cgpimkfhjdaobobdomcikioipaenlhke
Key Found :

HKCU\Software\Google\Chrome\Extensio

ns\cgpimkfhjdaobobdomcikioipaenlhke
Key Found : HKCU\Software\Headlight
Key Found : HKCU\Software\PriceGong
Key Found : HKCU\Software\SmartBar
Key Found : HKCU\Software\Viewpoint
Key Found :

HKLM\SOFTWARE\Classes\20070122200339

_auto_file
Key Found :

HKLM\SOFTWARE\Classes\20090113181753

_auto_file
Key Found :

HKLM\SOFTWARE\Classes\20090203204200

_auto_file
Key Found :

HKLM\SOFTWARE\Classes\20090323125414

_auto_file
Key Found :

HKLM\SOFTWARE\Classes\20090420144432

_auto_file
Key Found :

HKLM\SOFTWARE\Classes\CLSID\{3C47194

8-F874-49F5-B338-4F214A2EE0B1}
Key Found :

HKLM\SOFTWARE\Classes\Toolbar.CT2064

07
Key Found :

HKLM\SOFTWARE\Classes\Toolbar.CT3241

284
Key Found : HKLM\Software\Conduit
Key Found :

HKLM\SOFTWARE\Google\Chrome\Extensio

ns\cgpimkfhjdaobobdomcikioipaenlhke
Key Found :

HKLM\SOFTWARE\Google\Chrome\Extensio

ns\cgpimkfhjdaobobdomcikioipaenlhke
Key Found :

HKLM\Software\Microsoft\Windows\Curr

entVersion\Installer\UserData\S-1-5-

18\Components\063A857434EDED11A89380

0002C0A966
Key Found :

HKLM\Software\Microsoft\Windows\Curr

entVersion\Installer\UserData\S-1-5-

18\Components\0FF2AEFF45EEA0A48A4B33

C1973B6094
Key Found :

HKLM\Software\Microsoft\Windows\Curr

entVersion\Installer\UserData\S-1-5-

18\Components\305B09CE8C53A214DB5888

7F62F25536

***** [Internet Browsers] *****

-\\ Internet Explorer

v8.0.6001.18702

[OK] Registry is clean.

-\\ Google Chrome v26.0.1410.64

File : C:\Documents and

Settings\rlenihan\Local

Settings\Application

Data\Google\Chrome\User

Data\Default\Preferences

Found [l.23] : icon_url =

"hxxp://search.conduit.com/fav.ico",
Found [l.26] : keyword =

"search.conduit.com",
Found [l.30] : search_url =

"hxxp://search.conduit.com/Results.a

spx?q={searchTerms}&SearchSource=49&

CUI=UN34181151041328202&ctid=CT32412

84&UM=2",
Found [l.31] : suggest_url =

"hxxp://suggest.search.conduit.com/C

SuggestJson.ashx?prefix={searchTerms

}&CUI=UN34181151041328202&UM=2"

*************************

AdwCleaner[R1].txt - [1096 octets] -

[01/05/2013 15:27:55]

########## EOF -

H:\AdwCleaner[R1].txt - [1096

octets] ##########

# AdwCleaner v2.300 - Logfile

created 05/01/2013 at 15:29:01
# Updated 28/04/2013 by Xplode
# Operating system : Microsoft

Windows XP Service Pack 3 (32 bits)
# User : rlenihan - RICKL-PC
# Boot Mode : Normal
# Running from : C:\Documents and

Settings\rlenihan\Desktop\new

programs\adwarecleaner\adwcleaner.ex

e
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : C:\Documents and

Settings\rlenihan\Local

Settings\Application

Data\Google\Chrome\User

Data\Default\Extensions\cgpimkfhjdao

bobdomcikioipaenlhke
Deleted on reboot : C:\Documents and

Settings\rlenihan\Local

Settings\Application

Data\Google\Chrome\User

Data\Default\Extensions\cgpimkfhjdao

bobdomcikioipaenlhke
Folder Deleted :

C:\DOCUME~1\jsullivan\LOCALS~1\Temp\

boost_interprocess
Folder Deleted : C:\Documents and

Settings\rlenihan\Application

Data\PriceGong
Folder Deleted : C:\Documents and

Settings\rlenihan\Local

Settings\Application Data\Conduit
Folder Deleted : C:\Documents and

Settings\rlenihan\Local

Settings\Application

Data\PackageAware
Folder Deleted : C:\Program

Files\Conduit

***** [Registry] *****

Key Deleted : HKCU\Software\Conduit
Key Deleted :

HKCU\Software\ConduitSearchScopes
Key Deleted :

HKCU\Software\Google\Chrome\Extensio

ns\cgpimkfhjdaobobdomcikioipaenlhke
Key Deleted :

HKCU\Software\Headlight
Key Deleted :

HKCU\Software\PriceGong
Key Deleted : HKCU\Software\SmartBar
Key Deleted :

HKCU\Software\Viewpoint
Key Deleted :

HKLM\SOFTWARE\Classes\20070122200339

_auto_file
Key Deleted :

HKLM\SOFTWARE\Classes\20090113181753

_auto_file
Key Deleted :

HKLM\SOFTWARE\Classes\20090203204200

_auto_file
Key Deleted :

HKLM\SOFTWARE\Classes\20090323125414

_auto_file
Key Deleted :

HKLM\SOFTWARE\Classes\20090420144432

_auto_file
Key Deleted :

HKLM\SOFTWARE\Classes\CLSID\{3C47194

8-F874-49F5-B338-4F214A2EE0B1}
Key Deleted :

HKLM\SOFTWARE\Classes\Toolbar.CT2064

07
Key Deleted :

HKLM\SOFTWARE\Classes\Toolbar.CT3241

284
Key Deleted : HKLM\Software\Conduit
Key Deleted :

HKLM\SOFTWARE\Google\Chrome\Extensio

ns\cgpimkfhjdaobobdomcikioipaenlhke
Key Deleted :

HKLM\Software\Microsoft\Windows\Curr

entVersion\Installer\UserData\S-1-5-

18\Components\063A857434EDED11A89380

0002C0A966
Key Deleted :

HKLM\Software\Microsoft\Windows\Curr

entVersion\Installer\UserData\S-1-5-

18\Components\0FF2AEFF45EEA0A48A4B33

C1973B6094
Key Deleted :

HKLM\Software\Microsoft\Windows\Curr

entVersion\Installer\UserData\S-1-5-

18\Components\305B09CE8C53A214DB5888

7F62F25536

***** [Internet Browsers] *****

-\\ Internet Explorer

v8.0.6001.18702

[OK] Registry is clean.

-\\ Google Chrome v26.0.1410.64

File : C:\Documents and

Settings\rlenihan\Local

Settings\Application

Data\Google\Chrome\User

Data\Default\Preferences

Deleted [l.23] : icon_url =

"hxxp://search.conduit.com/fav.ico",
Deleted [l.26] : keyword =

"search.conduit.com",
Deleted [l.30] : search_url =

"hxxp://search.conduit.com/Results.a

spx?q={searchTerms}&SearchSource=49&

CUI=UN34[...]
Deleted [l.31] : suggest_url =

"hxxp://suggest.search.conduit.com/C

SuggestJson.ashx?prefix={searchTerms

}&CUI=U[...]

*************************

AdwCleaner[R1].txt - [3423 octets] -

[01/05/2013 15:27:55]
AdwCleaner[S1].txt - [1116 octets] -

[01/05/2013 15:29:02]

########## EOF -

H:\AdwCleaner[S1].txt - [1116

octets] ##########

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by

Thisisu
Version: 4.9.3 (04.29.2013:2)
OS: Microsoft Windows XP x86
Ran by rlenihan on 05/01/2013 at

15:48:38.78
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry

Value]

HKEY_LOCAL_MACHINE\Software\Microsof

t\Internet

Explorer\SearchScopes\{0633EE93-D776

-472f-A0FF-E1416B8B2E3A}\\DisplayNam

e
Successfully repaired: [Registry

Value]

HKEY_LOCAL_MACHINE\Software\Microsof

t\Internet

Explorer\SearchScopes\{0633EE93-D776

-472f-A0FF-E1416B8B2E3A}\\URL



~~~ Registry Keys

Successfully deleted: [Registry Key]

HKEY_CURRENT_USER\Software\Microsoft

\Internet

Explorer\SearchScopes\{FA2DBC50-63ED

-4F1B-9830-33434D614101}



~~~ Files

Successfully deleted: [File]

"C:\end"
Successfully deleted: [File]

C:\eula.1028.txt
Successfully deleted: [File]

C:\eula.1031.txt
Successfully deleted: [File]

C:\eula.1033.txt
Successfully deleted: [File]

C:\eula.1036.txt
Successfully deleted: [File]

C:\eula.1040.txt
Successfully deleted: [File]

C:\eula.1041.txt
Successfully deleted: [File]

C:\eula.1042.txt
Successfully deleted: [File]

C:\eula.2052.txt
Successfully deleted: [File]

C:\install.res.1028.dll
Successfully deleted: [File]

C:\install.res.1031.dll
Successfully deleted: [File]

C:\install.res.1033.dll
Successfully deleted: [File]

C:\install.res.1036.dll
Successfully deleted: [File]

C:\install.res.1040.dll
Successfully deleted: [File]

C:\install.res.1041.dll
Successfully deleted: [File]

C:\install.res.1042.dll
Successfully deleted: [File]

C:\install.res.2052.dll
Successfully deleted: [File]

C:\install.res.3082.dll



~~~ Folders

Successfully deleted: [Folder]

"C:\Documents and

Settings\rlenihan\Application

Data\strongvault"
Successfully deleted: [Folder]

"C:\Program Files\registry mechanic"
Successfully deleted: [Folder]

"C:\WINDOWS\system32\ai_recyclebin"
Successfully deleted: [Folder]

"C:\ai_recyclebin"





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 05/01/2013 at

15:51:34.64
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~
Security check software returned

this
UNSUPPORTED OPERATING SYSTEM!

ABORTED!


descriptionAdware Dealply infection EmptyRe: Adware Dealply infection

more_horiz
Download Combofix from any of the links below, and save it to your DESKTOP.
If your version of Windows defaults to you download folder you will need to copy it to your desktop.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click ComboFix.exe to run it.

    You will see the following image:

Adware Dealply infection NSIS_disclaimer_ENG

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:

Adware Dealply infection NSIS_extraction

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.

Adware Dealply infection RcAuto1

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Adware Dealply infection Whatnext

Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

descriptionAdware Dealply infection EmptyRe: Adware Dealply infection

more_horiz
ComboFix 13-05-01.03 - rlenihan 05/01/2013 18:37:07.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3061.2104 [GMT -4:00]
Running from: c:\documents and settings\rlenihan\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\DragToDiscUserNameD.txt
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\rlenihan\GoToAssistDownloadHelper.exe
C:\install.exe
c:\windows\Downloaded Program Files\Install.inf
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Downloaded Program Files\ODCTOOLS\ef6b26db-344d-4ad3-ba24-aca0bdaa999a.cab
c:\windows\Downloaded Program Files\ODCTOOLS\f04d289f-c60a-422b-8396-6c372047042e.cab
c:\windows\system32\aosmtp.dll
c:\windows\system32\DC120fc7_32.dll
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\UNWISE.EXE
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_FAD
.
.
((((((((((((((((((((((((( Files Created from 2013-04-01 to 2013-05-01 )))))))))))))))))))))))))))))))
.
.
2013-05-01 19:48 . 2013-05-01 19:48 -------- d-----w- c:\windows\ERUNT
2013-05-01 19:48 . 2013-05-01 19:48 -------- d-----w- C:\JRT
2013-05-01 12:48 . 2013-05-01 12:48 167344 ----a-w- c:\windows\system32\mfevtps.exe.8c8a.deleteme
2013-05-01 12:46 . 2013-05-01 12:46 -------- d-----w- C:\Stinger_Quarantine
2013-04-30 15:57 . 2013-04-30 15:57 -------- d-----w- c:\windows\Microsoft Antimalware
2013-04-30 13:02 . 2013-05-01 12:38 -------- d-----w- c:\documents and settings\rlenihan\Local Settings\Application Data\NPE
2013-04-30 13:02 . 2013-04-30 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2013-04-29 20:37 . 2013-04-29 20:37 -------- d-----w- c:\program files\FileASSASSIN
2013-04-29 13:40 . 2013-04-29 13:40 -------- d-----w- c:\documents and settings\All Users\Application Data\VS Revo Group
2013-04-29 13:36 . 2013-04-29 13:36 -------- d-----w- c:\program files\VideoSaver
2013-04-29 13:26 . 2013-04-29 13:26 -------- d-----w- c:\documents and settings\rlenihan\Local Settings\Application Data\CRE
2013-04-18 14:30 . 2013-04-18 14:30 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-04-18 14:29 . 2013-04-18 14:29 0 ----a-w- c:\windows\system32\RENB04.tmp
2013-04-18 14:29 . 2013-04-18 14:29 0 ----a-w- c:\windows\system32\RENB03.tmp
2013-04-04 15:56 . 2013-04-04 15:56 -------- d-----w- c:\program files\Uniblue
2013-04-04 15:56 . 2013-04-04 15:56 -------- d-----w- c:\documents and settings\rlenihan\Application Data\Uniblue
2013-04-02 14:09 . 2013-04-02 14:09 4550656 ----a-w- c:\windows\system32\GPhotos.scr
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-18 14:30 . 2012-09-04 14:47 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-04-18 14:30 . 2012-05-14 20:23 866720 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-04-18 14:30 . 2010-04-20 12:23 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-04-18 14:21 . 2012-04-04 14:46 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-18 14:21 . 2011-10-19 14:06 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-04 18:50 . 2008-10-27 14:18 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-23 01:09 . 2013-03-23 01:09 354656 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2013-03-08 14:55 . 2013-03-08 14:55 0 ----a-w- c:\windows\system32\RENC62.tmp
2013-03-08 14:55 . 2013-03-08 14:55 0 ----a-w- c:\windows\system32\RENC61.tmp
2013-03-08 08:36 . 2004-08-11 21:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:32 . 2004-08-11 21:00 2149888 ------w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50 . 2004-08-04 02:59 2028544 ------w- c:\windows\system32\ntkrnlpa.exe
2013-03-02 02:06 . 2004-08-11 21:00 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 02:06 . 2004-08-11 21:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-03-02 02:06 . 2004-08-11 21:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-03-02 01:25 . 2004-08-11 21:00 1867264 ------w- c:\windows\system32\win32k.sys
2013-03-02 01:08 . 2004-08-11 21:00 385024 ----a-w- c:\windows\system32\html.iec
2013-02-27 07:56 . 2004-08-11 21:11 2067456 ------w- c:\windows\system32\mstscax.dll
2013-02-12 00:32 . 2008-08-24 07:36 12928 ------w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32 . 2004-08-11 21:00 12928 ------w- c:\windows\system32\drivers\usb8023.sys
2013-02-09 02:03 . 2013-02-09 02:03 0 ----a-w- c:\windows\system32\RENC.tmp
2013-02-09 02:03 . 2013-02-09 02:03 0 ----a-w- c:\windows\system32\RENB.tmp
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{FCA0E497-33D1-4DBE-8FDB-7F9A597C8BC2}]
2013-04-23 21:57 133528 ----a-w- c:\program files\VideoSaver\VideoSaver.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\rlenihan\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\rlenihan\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\rlenihan\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\rlenihan\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2010-10-29 1652736]
"Clipomatic"="c:\program files\Clipomatic\Clipomatic.exe" [1999-05-15 65536]
"GarminExpressTrayApp"="c:\program files\Garmin\Express Tray\ExpressTray.exe" [2013-03-20 1100120]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-07 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-07 29744]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-18 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-18 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-18 141848]
"CPMonitor"="c:\program files\Roxio 2010\5.0\CPMonitor.exe" [2009-07-21 84464]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-09-20 444904]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe" [2012-12-18 3478752]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
c:\documents and settings\rlenihan\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-10-19 1316192]
Dropbox.lnk - c:\documents and settings\rlenihan\Application Data\Dropbox\bin\Dropbox.exe [2013-3-12 29106336]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-8-25 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2012-6-27 572000]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-688789844-725345543-1112\Scripts\Logon\0\0]
"Script"=c:\winnt\SYSVOL\sysvol\bradyenterprises.com\scripts\BRScript.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-688789844-725345543-1136\Scripts\Logon\0\0]
"Script"=c:\winnt\SYSVOL\sysvol\bradyenterprises.com\scripts\BRScript.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-688789844-725345543-1155\Scripts\Logon\0\0]
"Script"=c:\winnt\SYSVOL\sysvol\bradyenterprises.com\scripts\BRScript.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1454471165-688789844-725345543-500\Scripts\Logon\0\0]
"Script"=c:\winnt\SYSVOL\sysvol\bradyenterprises.com\scripts\BRScript.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Delivery Agent.lnk]
backup=c:\windows\pss\QuickBooks Delivery Agent.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Akamai NetSession Interface]
2013-01-26 11:08 4480768 ----a-w- c:\documents and settings\rlenihan\Local Settings\Application Data\Akamai\netsession_win.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cookienator]
2009-10-19 05:29 1333472 ----a-w- c:\program files\Cookienator\cookienator.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXMediaServer]
2013-03-28 17:40 450560 ----a-w- c:\program files\DivX\DivX Media Server\DivXMediaServer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2013-02-13 02:37 1263952 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2007-08-30 14:50 205480 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-02-20 17:35 152392 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-01-12 07:09 488984 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 08:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RWipeKbdDemon]
2010-04-13 23:35 73728 ----a-w- c:\program files\R-Wipe&Clean\RWKbdD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-08-07 22:59 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Roxio\\Digital Home 10\\RoxioUPnPRenderer10.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [06/24/2010 11:33 AM 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [06/24/2010 11:33 AM 15856]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [06/06/2011 8:16 AM 13496]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\SEP\0C01029F\136B.105\x86\SymDS.sys [06/14/2012 1:13 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\SEP\0C01029F\136B.105\x86\SymEFA.sys [06/14/2012 1:13 PM 756856]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20130412.011\BHDrvx86.sys [04/23/2013 2:15 PM 1000024]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [06/24/2010 11:33 AM 25584]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\SEP\0C01029F\136B.105\x86\Ironx86.sys [06/14/2012 1:13 PM 136312]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [06/02/2009 7:05 PM 457200]
R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [09/30/2010 4:06 AM 169408]
R2 AdvancedSystemCareService6;Advanced SystemCare Service 6;c:\program files\IObit\Advanced SystemCare 6\ASCService.exe [10/24/2012 5:32 PM 1026432]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [06/20/2007 2:30 PM 79168]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [11/01/2010 11:38 AM 3744]
R2 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [06/23/2009 5:40 PM 127352]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [06/09/2009 10:11 AM 155648]
R2 Garmin Core Update Service;Garmin Core Update Service;c:\program files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [03/20/2013 4:35 PM 186200]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [06/23/2010 12:31 PM 12184]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [03/08/2010 9:06 AM 72672]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [11/01/2010 11:38 AM 3904]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [09/10/2012 2:25 PM 418376]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/27/2008 10:18 AM 701512]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [06/27/2012 3:25 AM 1326176]
R2 SepMasterService;Symantec Endpoint Protection;c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe [06/14/2012 1:13 PM 137224]
R2 TeamViewer8;TeamViewer 8;c:\program files\TeamViewer\Version8\TeamViewer_Service.exe [04/25/2013 12:34 PM 3574624]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [05/01/2013 10:40 AM 106656]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/27/2008 10:18 AM 22856]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [12/16/2011 10:19 AM 15544]
S2 gupdate1c985ffd758e9eb;Google Update Service (gupdate1c985ffd758e9eb);c:\program files\Google\Update\GoogleUpdate.exe [02/03/2009 9:03 AM 133104]
S2 HIT_PARA;HIT_PARA;c:\windows\system32\drivers\HIT_Para.sys [08/28/2008 9:51 AM 8204]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [06/23/2008 9:08 AM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [06/23/2008 9:06 AM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [06/23/2008 9:06 AM 166384]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe [07/24/2009 8:33 AM 219632]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [06/27/2012 3:25 AM 681056]
S2 SessionLauncher;SessionLauncher;c:\docume~1\rlenihan\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\rlenihan\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
S2 TeamViewer4;TeamViewer 4;"c:\program files\TeamViewer\Version4\TeamViewer_Service.exe" -service --> c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [?]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 11:58 AM 11336]
S3 esihdrv;esihdrv;\??\c:\docume~1\rlenihan\LOCALS~1\Temp\esihdrv.sys --> c:\docume~1\rlenihan\LOCALS~1\Temp\esihdrv.sys [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [05/04/2010 4:09 PM 27064]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [06/23/2008 9:08 AM 313840]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [06/23/2008 9:05 AM 1120752]
S3 RoxMediaDB12;RoxMediaDB12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe [07/24/2009 8:33 AM 1116656]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-04-11 14:19 1642448 ----a-w- c:\program files\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 14:21]
.
2013-05-01 c:\windows\Tasks\AdobeAAMUpdater-1.0-BRADYENTERPRISE-rlenihan.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2012-09-20 11:27]
.
2013-04-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-05-01 c:\windows\Tasks\dsmonitor.job
- c:\program files\Uniblue\DriverScanner\dsmonitor.exe [2013-04-04 18:47]
.
2013-05-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-07 11:39]
.
2013-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 13:03]
.
2013-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 13:03]
.
2013-05-01 c:\windows\Tasks\HP Photo Creations Communicator.job
- c:\documents and settings\All Users\Application Data\HP Photo Creations\MessageCheck.exe [2011-12-09 15:27]
.
2013-05-01 c:\windows\Tasks\User_Feed_Synchronization-{CB8CBC48-7C4D-49D6-AD87-B5EFD2746333}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
2013-05-01 c:\windows\Tasks\VideoSaver Update.job
- c:\program files\VideoSaver\vdsvrur.exe [2013-04-23 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.xfinity.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local;
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: amazon.com\www
Trusted Zone: bradyenterprises.com\mail
Trusted Zone: cinemanow.com
Trusted Zone: paypal.com\www
Trusted Zone: qflix.com
Trusted Zone: roxio.com
Trusted Zone: sonic.com\redirect
Trusted Zone: sonic.com\redirect2
Trusted Zone: tripadvisor.com\www
TCP: DhcpNameServer = 192.168.1.4
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB
DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} - hxxp://mdiner.viewnetcam.com:50000/SysCamInst.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://65.14.83.37/activex/AMC.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Notify-NavLogon - (no file)
Notify-SEP - c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll
SafeBoot-WudfPf
SafeBoot-WudfRd
SafeBoot-ccEvtMgr
SafeBoot-ccSetMgr
SafeBoot-Symantec Antivirus
SafeBoot-Symantec Antvirus
MSConfigStartUp-Garmin Lifetime Updater - c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe
MSConfigStartUp-OpwareSE4 - c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
MSConfigStartUp-RegistryMechanic - c:\program files\Registry Mechanic\RegMech.exe
MSConfigStartUp-RWIP-UNB - h:\rlenihan\RWCCleaB.exe
MSConfigStartUp-SSBkgdUpdate - c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
AddRemove-DocLock - c:\program files\File & Folder Lock\uninst.exe
AddRemove-HASP Device Drivers - c:\windows\system32\UNWISE.EXE
AddRemove-Registry Mechanic_is1 - c:\program files\Registry Mechanic\unins000.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\rlenihan\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
AddRemove-WS_FTP Pro - f:\winnt\IsUninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-01 18:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Clipomatic = c:\program files\Clipomatic\Clipomatic.exe??|???Z?A~.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SepMasterService]
"ImagePath"="\"c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe\" /s \"Symantec Endpoint Protection\" /m \"c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\sms.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SmcService]
"ImagePath"="\"c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{860F37D0-88B9-EAFE-0DA223FC9F2D4B17}\{92B5FDE0-C227-B1B3-6D9FE8922DCBDAED}\{28D3DA4D-49F1-E4D4-1516D5318029455A}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Symantec\Symantec Endpoint Protection\CurrentVersion]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,4f,00,46,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(728)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
- - - - - - - > 'explorer.exe'(6072)
c:\windows\system32\WININET.dll
c:\documents and settings\rlenihan\Application Data\Dropbox\bin\DropboxExt.17.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\crypserv.exe
c:\program files\Google\Update\1.3.21.135\GoogleCrashHandler.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\windows\system32\LxrSII1s.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\System32\snmp.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe
c:\program files\teamviewer\version8\TeamViewer.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\program files\TeamViewer\Version8\tv_w32.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
c:\program files\IObit\Advanced SystemCare 6\DelayLoad.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2013-05-01 19:01:46 - machine was rebooted
ComboFix-quarantined-files.txt 2013-05-01 23:01
.
Pre-Run: 29,924,646,912 bytes free
Post-Run: 30,170,550,272 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 10E5970B9D546077316AED829D354B97

descriptionAdware Dealply infection EmptyRe: Adware Dealply infection

more_horiz
Internet Explorer's security is based upon a set of zones. Each zone has

different security in terms of what scripts and applications can be run from a site that is

in that zone. There is a security zone called the Trusted Zone. This zone has the lowest

security
and allows scripts and applications from sites in this zone to run without

your knowledge
. It is therefore a popular setting for malware sites to use so

that future infections can be easily done on your computer without your knowledge as these

sites will be in the Trusted Zone
. Therefore, I recommend that nothing be allowed in the

trusted zone. If you agree, please do the following.


Re-running ComboFix to remove infections:


  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    KillAll::

    Firefox::
    Trusted Zone: amazon.com\www
    Trusted Zone: bradyenterprises.com\mail
    Trusted Zone: cinemanow.com
    Trusted Zone: paypal.com\www
    Trusted Zone: qflix.com
    Trusted Zone: roxio.com
    Trusted Zone: sonic.com\redirect
    Trusted Zone: sonic.com\redirect2
    Trusted Zone: tripadvisor.com\www

    DDS::
    Trusted Zone: amazon.com\www
    Trusted Zone: bradyenterprises.com\mail
    Trusted Zone: cinemanow.com
    Trusted Zone: paypal.com\www
    Trusted Zone: qflix.com
    Trusted Zone: roxio.com
    Trusted Zone: sonic.com\redirect
    Trusted Zone: sonic.com\redirect2
    Trusted Zone: tripadvisor.com\www


  • Save this as CFScript.txt, in the same location as ComboFix.exe

    Adware Dealply infection Cfscriptb4

  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • I don't need to see the log from this action.

************************************************

  • Download RogueKiller on the desktop
  • Close all the running programs
  • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

descriptionAdware Dealply infection EmptyRe: Adware Dealply infection

more_horiz
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRKgmailcom
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : rlenihan [Admin rights]
Mode : Scan -- Date : 05/02/2013 08:48:25
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[12] : NtAlertResumeThread @ 0x805D4BDC -> HOOKED (Unknown @ 0x89E55F90)
SSDT[13] : NtAlertThread @ 0x805D4B8C -> HOOKED (Unknown @ 0x89DA68D8)
SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AC2 -> HOOKED (Unknown @ 0x8A20D078)
SSDT[19] : NtAssignProcessToJobObject @ 0x805D66A0 -> HOOKED (Unknown @ 0x89D786A8)
SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x8A180238)
SSDT[43] : NtCreateMutant @ 0x806177F2 -> HOOKED (Unknown @ 0x8A1C8EE0)
SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A02 -> HOOKED (Unknown @ 0x89D784C8)
SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0x89DA0438)
SSDT[57] : NtDebugActiveProcess @ 0x80643C82 -> HOOKED (Unknown @ 0x89D78788)
SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0x89E55070)
SSDT[83] : NtFreeVirtualMemory @ 0x805B2FBA -> HOOKED (Unknown @ 0x89E489E0)
SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9332 -> HOOKED (Unknown @ 0x8A1C8FD0)
SSDT[91] : NtImpersonateThread @ 0x805D7860 -> HOOKED (Unknown @ 0x89E55EB0)
SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x8A17FC40)
SSDT[108] : NtMapViewOfSection @ 0x805B2042 -> HOOKED (Unknown @ 0x89E48900)
SSDT[114] : NtOpenEvent @ 0x8060F1B0 -> HOOKED (Unknown @ 0x89D7DFD0)
SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (Unknown @ 0x89DA0320)
SSDT[123] : NtOpenProcessToken @ 0x805EE000 -> HOOKED (Unknown @ 0x8A4460A8)
SSDT[125] : NtOpenSection @ 0x805AA3F4 -> HOOKED (Unknown @ 0x89D7DE30)
SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (Unknown @ 0x89E55140)
SSDT[137] : NtProtectVirtualMemory @ 0x805B8426 -> HOOKED (Unknown @ 0x89D785B8)
SSDT[206] : NtResumeThread @ 0x805D4A18 -> HOOKED (Unknown @ 0x89DA6998)
SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0x8A193250)
SSDT[228] : NtSetInformationProcess @ 0x805CDEA0 -> HOOKED (Unknown @ 0x89E4D8C8)
SSDT[240] : NtSetSystemInformation @ 0x8060FE68 -> HOOKED (Unknown @ 0x89D78868)
SSDT[253] : NtSuspendProcess @ 0x805D4AE0 -> HOOKED (Unknown @ 0x89D7DF10)
SSDT[254] : NtSuspendThread @ 0x805D4952 -> HOOKED (Unknown @ 0x89DAAC50)
SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0x8A19D148)
SSDT[258] : NtTerminateThread @ 0x805D24D2 -> HOOKED (Unknown @ 0x89DAAD30)
SSDT[267] : NtUnmapViewOfSection @ 0x805B2E50 -> HOOKED (Unknown @ 0x8A44D6D8)
SSDT[277] : NtWriteVirtualMemory @ 0x805B43D4 -> HOOKED (Unknown @ 0x89D7B2A0)
S_SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x89D091F0)
S_SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x89D4F3C0)
S_SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x89D4F430)
S_SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x89D09260)
S_SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x89CA5E88)
S_SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x89D58948)
S_SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x89CA6630)
S_SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8A1CAFC0)
S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x89C841A8)
S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8A3858C0)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD1601ABYS-18C0A0 +++++
--- User ---
[MBR] dea945c3ee3621b4bca3bf282f6c632c
[BSP] 11d467b9f31927f29d49c85858b51038 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 47 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 96390 | Size: 152539 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: SanDisk Cruzer USB Device +++++
--- User ---
[MBR] cc2722ce00da54d9761c6505dbd9f0de
[BSP] af6db586d308d85a8460cbfafb54fa0c : Empty MBR Code
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 32 | Size: 7629 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_05022013_02d0848.txt >>
RKreport[1]_S_05022013_02d0848.txt



descriptionAdware Dealply infection EmptyRe: Adware Dealply infection

more_horiz
Please run RogueKiller again and delete those items.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

•Click the Adware Dealply infection EsetOnline button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

  • Click on Adware Dealply infection EsetSmartInstall to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the Adware Dealply infection EsetSmartInstallDesktopIcon-1 icon on your desktop.

•Check Adware Dealply infection EsetAcceptTerms
•Click the Adware Dealply infection EsetStart button.
•Accept any security warnings from your browser.

  • Leave the check mark next to Remove found threats.

•Check Adware Dealply infection EsetScanArchives
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push Adware Dealply infection EsetListThreats
•Push Adware Dealply infection EsetExport, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the Adware Dealply infection EsetBack button.
•Push Adware Dealply infection EsetFinish
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

descriptionAdware Dealply infection EmptyRe: Adware Dealply infection

more_horiz
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=8
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=5ad7341046f4e442b6a295e22d6068af
# engine=13731
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-05-01 02:59:35
# local_time=2013-04-30 10:59:35 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5893 16776638 33 7 109136575 109136575 0 0
# scanned=211007
# found=18
# cleaned=18
# scan_time=21860
sh=9F3D6D3FD87EBB83098E5615E98C6C8E929EAB84 ft=1 fh=b737a2242915c4a7 vn="Java/AngryIPScan.A application (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\rlenihan\Desktop\new programs\CMAC\ipscan-win32-3.0-beta6.exe"
sh=066EC383C2A4DBBDD8EA15ACE1D39837FADAFF02 ft=1 fh=005a0dba193909a6 vn="a variant of Win32/Bundled.Toolbar.Ask application (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\rlenihan\Desktop\new programs\Defrag\ARO2011_tbt.exe"
sh=3A456433BA46533220B12FB937F68C2FE5054756 ft=1 fh=de80fd98870b182c vn="a variant of Win32/Bundled.Toolbar.Ask application (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\rlenihan\Desktop\new programs\Duplicate Finder\duplicate-file-finder-setup.exe"
sh=B662EE7DF1E0B040B8B6BA986C73A278647B94D9 ft=1 fh=a0d009293ed74dab vn="a variant of Win32/Bundled.Toolbar.Ask application (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\rlenihan\Desktop\new programs\Image Burn\SetupImgBurn_2.5.6.0.exe"
sh=38D920413DA6977CEC22A54F59C537D61FB5E3A7 ft=1 fh=1552aabc3c379211 vn="a variant of Win32/ELEX application (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\rlenihan\Desktop\new programs\Iobit\asc-setup.exe"
sh=54F618B30CB95D957F0ADED4450BA0BA98EE9A72 ft=0 fh=0000000000000000 vn="a variant of Win32/PSWTool.RouterPassView.B application (deleted - quarantined)" ac=C fn="C:\Documents and Settings\rlenihan\Desktop\new programs\Password\routerpassview.zip"
sh=373FF239732EC6BC362DAF8E08FC2B4418175FFE ft=0 fh=0000000000000000 vn="a variant of Win32/SecurityXploded.A application (deleted - quarantined)" ac=C fn="C:\Documents and Settings\rlenihan\Desktop\new programs\password decrypters\MSNLivePasswordDecryptor.zip"
sh=A662964405F978FA61E61F0C09FEA054EEB2678C ft=0 fh=0000000000000000 vn="a variant of Win32/SecurityXploded.A application (deleted - quarantined)" ac=C fn="C:\Documents and Settings\rlenihan\Desktop\new programs\password decrypters\Facebook\FacebookPasswordDecryptor.zip"
sh=CA062508C0B03BB88FF22DFF8D4924FC95096121 ft=1 fh=15c8a451df620cac vn="a variant of Win32/SecurityXploded.A application (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\rlenihan\Desktop\new programs\password decrypters\Facebook\FacebookPasswordDecryptor\Setup_FacebookPasswordDecryptor.exe"
sh=3E4E8A5FB0931648782A891CFE9FF495634F5CD5 ft=0 fh=0000000000000000 vn="a variant of Win32/SecurityXploded.A application (deleted - quarantined)" ac=C fn="C:\Documents and Settings\rlenihan\Desktop\new programs\password decrypters\Google\GooglePasswordDecryptor.zip"
sh=4B0B52D211572E9A38A4542D85EFDB20EBA82AC0 ft=1 fh=f85cdf58e62b9982 vn="a variant of Win32/SecurityXploded.A application (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\rlenihan\Desktop\new programs\password decrypters\MSNLivePasswordDecryptor\Setup_MSNLivePasswordDecryptor.exe"
sh=591CF93C197764750AD88D14D8180AC714EEEE41 ft=0 fh=0000000000000000 vn="a variant of Win32/SecurityXploded.A application (deleted - quarantined)" ac=C fn="C:\Documents and Settings\rlenihan\Desktop\new programs\password decrypters\Outlook\OutlookPasswordDecryptor.zip"
sh=CC27DB40888B63188E10F08BCF99CCDBE41CB3FC ft=1 fh=8e672c7a52ab6d78 vn="a variant of Win32/SecurityXploded.A application (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\rlenihan\Desktop\new programs\password decrypters\Outlook\OutlookPasswordDecryptor\Setup_OutlookPasswordDecryptor.exe"
sh=9E6680F6E2721EAE0D5FAB1F64C12DBC0F52850D ft=0 fh=0000000000000000 vn="a variant of Win32/SecurityXploded.A application (deleted - quarantined)" ac=C fn="C:\Documents and Settings\rlenihan\Desktop\new programs\password decrypters\WS-FTP\WS_FTPPasswordDecryptor.zip"
sh=1D66D0A9E8A65CA8B43F3D6ECDC01AA2A35D566E ft=1 fh=82db5603dee2b061 vn="a variant of Win32/SecurityXploded.A application (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\rlenihan\Desktop\new programs\password decrypters\WS-FTP\WS_FTPPasswordDecryptor\Setup_WS_FTPPasswordDecryptor.exe"
sh=94D46F5DD9A9B2BB7909CC1183193E4F67B84EF1 ft=1 fh=a627d34be406fc55 vn="a variant of Win32/Bundled.Toolbar.Ask application (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\rlenihan\Desktop\new programs\Speed Utilities\WRCFree.exe"
sh=221F4B4A25BE1BC11A14F9733FE4F3504CD5CB23 ft=1 fh=1c4dd528ab0e1d89 vn="a variant of Win32/Bundled.Toolbar.Ask application (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\rlenihan\Desktop\new programs\Speed Utilities\wufinstall.exe"
sh=AD44A69068930A5A5E100F7E1F14CF189842A670 ft=1 fh=7d75842fbbf8ffab vn="a variant of Win32/Bundled.Toolbar.Ask application (cleaned by deleting - quarantined)" ac=C fn="C:\Program Files\AWS\WeatherBug\Local\askToolbarInstaller-1.9.1.0.exe"
# version=8
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=5ad7341046f4e442b6a295e22d6068af
# engine=13743
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-05-03 12:12:28
# local_time=2013-05-02 08:12:28 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5893 16776638 33 7 109295748 109295748 0 0
# scanned=235867
# found=0
# cleaned=0
# scan_time=19282

There were a huge amount of files from a previous scan in the quarantine i deleted them. My symantec still comes up with notice of infections

descriptionAdware Dealply infection EmptyRe: Adware Dealply infection

more_horiz
Please download and install MicroSoft Security Essentials. Enable MSE and disable your current AV and run a scan with MSE. Please tell me what it finds.

Microsoft Security Essentials for Windows XP

descriptionAdware Dealply infection EmptyRe: Adware Dealply infection

more_horiz
Scan showed nothing found. Originally could not load it said I had no space available. Virus kept replicating files and took up 35 gigs in the Symantec temp files. Until I deleted symantec I was down to 100MB of space left I now have 57 Gig. Still had issues when running IE but not google chrome

descriptionAdware Dealply infection EmptyRe: Adware Dealply infection

more_horiz
Scan showed nothing found.

Probably false positives from Symantec.
Still had issues when running IE but not google chrome.

Are you still having problems with IE? What are they?

descriptionAdware Dealply infection EmptyRe: Adware Dealply infection

more_horiz
AT THIS POINT I HAVE NOT SEEN ANY ADS YET

descriptionAdware Dealply infection EmptyRe: Adware Dealply infection

more_horiz
Ok, let's do some cleanup.

To uninstall ComboFix


  • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  • In the field, type in ComboFix /uninstall


Adware Dealply infection Combofix_uninstall_image

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)


  • Then, press Enter, or click OK.
  • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

*****************************************************
Click Start> Computer> right click the C Drive and choose Properties> enter
Click Disk Cleanup from there.

Adware Dealply infection Diskcleanup2

Click OK on the Disk Cleanup Screen.
Click Yes on the Confirmation screen.

Adware Dealply infection Diskcleanup

This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
*****************************************************
Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

descriptionAdware Dealply infection EmptyRe: Adware Dealply infection

more_horiz
Thanks for all your help. Hopefully I'm all set

descriptionAdware Dealply infection EmptyRe: Adware Dealply infection

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum